aspose file tools*
The moose likes Tomcat and the fly likes Should I get rid of the defailt Tomcat page? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Should I get rid of the defailt Tomcat page?" Watch "Should I get rid of the defailt Tomcat page?" New topic
Author

Should I get rid of the defailt Tomcat page?

Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
Are there any security concerns about leaving the default Tomcat page? Or is it ok to leave it just like that?


SCJP 1.5
http://devpinoy.org/blogs/lamia/ - http://everypesocounts.com/
Naseem Khan
Ranch Hand

Joined: Apr 25, 2005
Posts: 809
Are there any security concerns about leaving the default Tomcat page?


Not getting. leaving?

Naseem


Asking Smart Questions FAQ - How To Put Your Code In Code Tags
Timothy Sam
Ranch Hand

Joined: Sep 18, 2005
Posts: 746
When we first install Tomcat, there is the default greeting page. I want to know if I should leave(make it stay as it is, or make no changes to) it as it is. Or should I do something about it? Thank you for your reply.
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

While you should never rely soley on 'security by obscurity', it certanly can't hurt to hide every detail possible about the system you're running.

Most well written sites will provide their own 404 and 500 error pages.
Any default pages will have information about the site or company that the site was written for not the server that is being used to run the site.

So I would say Yes, get rid of that page in your production environment.
Why hand a would be cracker the make and version of the container he is trying to break into?

While you're at it, get rid of any of the apps that ship with Tomcat if you're not using them (Balancer, documentation, examples, etc..).
If you're going to use the manager app, it wouldn't hurt to rename it so someone can't just type "http://www.yourdomain.com/manager" to find out if you're using Tomcat.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Should I get rid of the defailt Tomcat page?