Turn off “X-Powered-By” i “Server” headers in WildFly 10
According to OWASP recommendations "Fingerprint Web Application Framework (OTG-INFO-008)" you must turn off specific headers, which are sent by application server or used framework. The less informations attacker knows, the harder it will be to attack.
Below are instructions to run in jboss-cli in standalone mode.
1$WILDFLY_HOME/bin/jboss-cli.sh --connect
Turn off "X-Powered-By" and "Server" headers returned by Wildfly
1/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove()
2/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove()
3/subsystem=undertow/configuration=filter/response-header=server-header:remove()
4/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:remove()
Turn off "X-Powered-By" header generated by servlet engine
1/subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)
Delete welcome-content
1/subsystem=undertow/server=default-server/host=default-host/location=\/:remove()
2/subsystem=undertow/configuration=handler/file=welcome-content:remove()