According to OWASP recommendations “Fingerprint Web Application Framework (OTG-INFO-008)” you must turn off specific headers, which are sent by application server or used framework. The less informations attacker knows, the harder it will be to attack.
Below are instructions to run in jboss-cli in standalone mode.
$WILDFLY_HOME/bin/jboss-cli.sh --connect
Turn off “X-Powered-By” and “Server” headers returned by Wildfly
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove() /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove() /subsystem=undertow/configuration=filter/response-header=server-header:remove() /subsystem=undertow/configuration=filter/response-header=x-powered-by-header:remove()
Turn off “X-Powered-By” header generated by servlet engine
/subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)
Delete welcome-content
It’s good to turn off WildFly start page.
/subsystem=undertow/server=default-server/host=default-host/location=\/:remove() /subsystem=undertow/configuration=handler/file=welcome-content:remove()
Hi i am not getting this property how to set globally.
i configured in standalone.xml of wildfly9
this is not working.
Maybe your server or host has other name than “default-server” or “default-host”.
Try to use autocomplete of jboss-cli – don’t copy paste 🙂