Hide Tomcat version from the error message

Having default Tomcat configuration may expose sensitive information, which helps hacker to prepare for an attack the application. This article describes how to remove the version string from Tomcat HTTP error messages without repackaging the catalina.jar. Based on our experience the standard approach is unzip the catalina.jar and remove the version.

Note: that all folder and file names are case sensitive.

  1. Go to <Tomcat_INSTAL_DIR>/bin/tomcat/lib.
  2. Create subfolders/directory structure as follows

org\apache\catalina\util\

  1. Create a text file as ServerInfo.properties
  2. Add the following lines, to ServerInfo.properties file and Save. You can choose any that you want to appear in the message.

server.info=My Company

  1. Stop and start tomcat service.
  2. Sample screenshot after making the above change.

  1. Tomcat start up log screen print

Posted in General Security and tagged , , , .