6

As per some security requirement have to set the X-Powered-By header to an empty String. I have been trying to set the header in a filter but when I look at the headers in Firebug I see that the custom header value set by my filter is appended by JSF/ 1.2.

The Filter is the first one in the request chain and implicitly the last one in the response chain. Below is the sample code that i have written in the doFilter method.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
            ServletException {
    // App specific logic...
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    httpResponse.setHeader("X-Powered-By","");
    chain.doFilter(request, response);
}

Am using Tomcat 6. As my filter is the last one in the response chain, is tomcat setting this header again after the control goes back to the tomcat connector ?

How do I override this value to my custom value ?

Anugoonj
  • 575
  • 3
  • 9
  • You know, security by obscurity doesn't really work. – schlingel Dec 10 '13 at 15:11
  • Yes am aware, this security requirement is on top of other already implemented robust mechanisms. If this can demotivate at least one illegitimate user from doing something, i think I would break-even :) – Anugoonj Dec 10 '13 at 16:34

3 Answers3

2

You are setting the response header before the rest of the application has had time to process the response. You should set it after the doFilter call

HttpServletResponse httpResponse = (HttpServletResponse) response;
// before filters and servlets
chain.doFilter(request, response);
// after filters and servlets
httpResponse.setHeader("X-Powered-By","");

Also, make sure the response isn't committed before setting the header. You might have to change what your other servlets are doing or wrap the HttpServletResponse.

If the header is being added by the Jasper JSP engine, you can check to see if it's configured that way. Your Jasper servlet in $CATALINA_BASE/conf/web.xml might have the init-param xpoweredBy set to true.

Community
  • 1
  • 1
Sotirios Delimanolis
  • 274,122
  • 60
  • 696
  • 724
  • @Sotirios Delimanolis : Thanks Setting the header after chaining does not seem to set the custom value. Setting it before does set it but the value "JSF /1.2" gets appended to it. The xpoweredBy init-param was by default set to false. Any other pointers ? – Anugoonj Dec 10 '13 at 16:31
  • @Anugoonj Check out http://stackoverflow.com/questions/8846090/how-to-remove-duplicate-x-powered-by-jsf-2-0 – Sotirios Delimanolis Dec 10 '13 at 16:32
0

There's a similar question on Stackoverflow here JSF, override HTTP headers

In short: you need to write a PhaseListener. A filter seems to be called before the JSF servlet so your header will be overwritten when you're trying to overwrite the response header.

Community
  • 1
  • 1
schlingel
  • 8,560
  • 7
  • 34
  • 62
0

We can remove disable the X Powered By header in Wildfly as well as the Weblogic server.

For Wildfly Server=>

Navigate to the path Configuration⇒Subsystem⇒Web=>Settings⇒Servlet Container⇒default=>JSP

We can see that the X Powered By header configuration,the same we can enable or disable.

[Wildfly X Powered By header configuration] https://i.stack.imgur.com/gs4TT.png

For Weblogic Server=>

Navigate to the path Home=>Summary of Domain Partitions=>Summary of Deployments=>Summary of Domain Partitions=>Summary of partition Work managers=>base_domain=>Configurations=>Web Applications

We can see that the X Powered By header configuration,the same we can enable with the values or disable.

[Weblogic X Powered By header configuration] https://i.stack.imgur.com/rFvrM.png

ASHWIN WAIKAR
  • 1
  • 1