Turn off “X-Powered-By” i “Server” headers in WildFly 10

Image not found

Web path: https://mariusz.wyszomierski.pl/Wildfly_logo.jpg

Disk path: static/Wildfly_logo.jpg

Using Page Bundles: false

According to OWASP recommendations "Fingerprint Web Application Framework (OTG-INFO-008)" you must turn off specific headers, which are sent by application server or used framework. The less informations attacker knows, the harder it will be to attack.

Below are instructions to run in jboss-cli in standalone mode.

1$WILDFLY_HOME/bin/jboss-cli.sh --connect

Turn off "X-Powered-By" and "Server" headers returned by Wildfly

1/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove()
2/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove()
3/subsystem=undertow/configuration=filter/response-header=server-header:remove()
4/subsystem=undertow/configuration=filter/response-header=x-powered-by-header:remove()

Turn off "X-Powered-By" header generated by servlet engine

1/subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)

Delete welcome-content

1/subsystem=undertow/server=default-server/host=default-host/location=\/:remove()
2/subsystem=undertow/configuration=handler/file=welcome-content:remove()

Translations: