I have API Rest running on a Tomcat server. If I try to access the API directly and an error occurs the Tomcat errors page is displayed:
Note that at the end you will find the following excerpt: Apache Tomcat / 8.0.30 .
In the face of the situation I have some questions:
As such, it is not a security flaw, but it is still a good idea to hide this information. For if in the future you will discover vulnerabilities in this specific version, and your service will not be upgraded to a more secure version of Tomcat (which ideally should not happen, but in practice can, for various reasons) then "advertise to the world" that you are running a vulnerable service would facilitate the work of any attackers targeting your server.
To hide this information, you can follow the procedure described on this page or alternatively the one described on the OWASP website (includes other tips for keeping your instance secure, worth reading ):
Find the file catalina.jar (it is inside the folder specified as CATALINA_HOME , in the subfolder server\lib ) and extract the file from it
org/apache/catalina/util/ServerInfo.properties
Update this file by replacing (or adding) server.info with some string of your choice. Example:
server.info=Apache Tomcat
Of the two one:
lib\org\apache\catalina\util within CATALINA_HOME and place the modified version of ServerInfo.properties there. Restart Tomcat.
This should cause the error messages to display the string you chose (in the example above, Apache Tomcat ) instead of the one that tells the version number.