What is the best way to hide / hide the Tomcat version from the error pages?


Could somebody please let me know which of the following two approaches is recommended and why :

  • Make the necessary changes to ServerInfo.properties

  • Define "error-page" in web.xml

The answers are a bit outdated, so: If you're using a tomcat 6 or newer (I've tested on tomcat 7) you can use the ErrorReportValve to achieve the same in a way that is much easier to configure and maintain. Just add the following lines to the Host section of your server.xml (where you should already have the AccessLogValve:

<Valve className="org.apache.catalina.valves.ErrorReportValve"

In this way you are hiding the server info and (because of the optional showReport=false) also the stack traces.

You can read more about this in the Security How To and in the documentation of the Error Report Valve.