WebApp Sec mailing list archives
Re: [WEB SECURITY] Tomcat Security
From: Ron Forrester <itripn () gmail com>
Date: Thu, 11 Aug 2005 09:17:56 -0700
On 8/11/05, Nathan Tobik <nathan.tobik () vigilantminds com> wrote:
about the value of changing banners. From what I remember there is almost no security value added by changing a banner. I would work on making sure your application is secure and then it won't matter if an attacker knows you're running Java or not.
Not to dig up that past conversation again, but I don't remember the conclusion really being that it was exactly useless. Yes there are better things to focus on, but if a 30 second change to the web server config can thwart simplistic attacks (worms, etc) which id victims by version/header information, seems reasonable to me, and certainly can't hurt. I believe a basic tenant of security is not to give out unrequired or unnecessary information. Having said all that, I once spent a few minutes looking at how to do this on tomcat, and got quickly distracted by other issues, so I didn't figure it out. -- rjf&
Current thread:
- RE: [WEB SECURITY] Tomcat Security Nathan Tobik (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Ryan Barnett (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Ron Forrester (Aug 11)
- Re: [WEB SECURITY] Tomcat Security Cyrill Brunschwiler (Aug 14)
- <Possible follow-ups>
- RE: [WEB SECURITY] Tomcat Security Jason Radley (Aug 11)