Turn off “X-Powered-By” i “Server” headers in WildFly 10

Mariusz Wyszomierski Uncategorized Turn off “X-Powered-By” i “Server” headers in WildFly 10

Uncategorized

Turn off “X-Powered-By” i “Server” headers in WildFly 10

Posted By Mariusz Wyszomierski

According to OWASP recommendations “Fingerprint Web Application Framework (OTG-INFO-008)” you must turn off specific headers, which are sent by application server or used framework. The less informations attacker knows, the harder it will be to attack.

Below are instructions to run in jboss-cli in standalone mode.

$WILDFLY_HOME/bin/jboss-cli.sh --connect

Turn off “X-Powered-By” and “Server” headers returned by Wildfly

/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove()
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove()
/subsystem=undertow/configuration=filter/response-header=server-header:remove()
/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:remove()

Turn off  “X-Powered-By” header generated by servlet engine

/subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)

Delete welcome-content

It’s good to turn off WildFly start page.

/subsystem=undertow/server=default-server/host=default-host/location=\/:remove()
/subsystem=undertow/configuration=handler/file=welcome-content:remove()

Written by Mariusz Wyszomierski

3 thoughts on “Turn off “X-Powered-By” i “Server” headers in WildFly 10

  1. Hi i am not getting this property how to set globally.

    i configured in standalone.xml of wildfly9

    this is not working.

      1. Maybe your server or host has other name than “default-server” or “default-host”.
        Try to use autocomplete of jboss-cli – don’t copy paste 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.