In some JBoss versions it was observed that by default certain response headers are activated, which can be removed to avoid undesired information disclosure. Such a header can reveal the version number of the used application server, for example.
Execute commands and restart server
To remove these headers, connect via the command line interface to the running instance with your port (10048 in the example below):
Execute these commands within the command line interface :
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove() /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove() /subsystem=undertow/configuration=filter/response-header=server-header:remove() /subsystem=undertow/configuration=filter/response-header=x-powered-by-header:remove() /subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false) /subsystem=undertow/server=default-server/host=default-host/location=\/:remove() /subsystem=undertow/configuration=handler/file=welcome-content:remove()
After having executed all commands, restart the server.
For related information see [Red Hat Undertow].
Command execution details
For each command call there should be a similar output like the one illustrated below (for the first command):
[standalone@0.0.0.0:10048 /] /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove()
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
If you receive an error message like the following, check the exact spelling in your command line. The status could also be OK and then just implies that the header was already removed:
[standalone@0.0.0.0:10048 /] /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove()
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0216: Management resource '[
(\"subsystem\" => \"undertow\"),
(\"server\" => \"default-server\"),
(\"host\" => \"default-host\"),
(\"filter-ref\" => \"server-header\")
]' not found",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}