Re: [WEB SECURITY] Tomcat Security

[Ron Forrester <itripn () gmail com>]

On 8/11/05, Nathan Tobik <nathan.tobik () vigilantminds com> wrote:
> about the value of changing banners.  From what I remember there is
> almost no security value added by changing a banner.  I would work on
> making sure your application is secure and then it won't matter if an
> attacker knows you're running Java or not.

Not to dig up that past conversation again, but I don't remember the
conclusion really being that it was exactly useless. Yes there are
better things to focus on, but if a 30 second change to the web server
config can thwart simplistic attacks (worms, etc) which id victims by
version/header information, seems reasonable to me, and certainly
can't hurt. I believe a basic tenant of security is not to give out
unrequired or unnecessary information.

Having said all that, I once spent a few minutes looking at how to do
this on tomcat, and got quickly distracted by other issues, so I
didn't figure it out.

-- 
rjf&