减少Tomcat错误页面中的信息泄露 [英] Reducing information disclosure in Tomcat error pages
问题描述
默认情况下,Tomcat的错误页面会公开Tomcat的存在以及处理请求的容器的确切版本。这对开发是很好的,但在生产环境中,这个信息是一个潜在的安全漏洞,禁用它是很好的。
By default, Tomcat's error pages disclose both the existence of Tomcat and the exact version of the container that's handling the requests. This is nice for development, but in a production context this information is a potential security hole and it would be nice to disable it.
所以我想知道什么最好的(最直接/全面的)解决方案是完全抑制Tomcat的默认错误页面。我知道web.xml中的< error-page> 选项,但似乎在所需的数量上都失败了,部分原因是我必须列出相同的替代方法错误页面多次(一个针对每个响应代码我想要处理),并且因为这可能不是100%稳健;如果攻击者可以以某种方式获取我没有明确列出的错误代码,他们将获得默认错误页面。
Thus I would like to know what the best (as in most straightforward/comprehensive) solution is to completely suppress Tomcat's default error pages. I am aware of the <error-page> option in web.xml, but it seems to fail on both desired counts, partly because I would have to list the same alternative error page many times (one for each response code I want to handle), and because this strikes me as possibly not 100% robust; if an attacker can somehow get an error code returned that I haven't explicitly listed, they would get the default error page.
理想情况下,一个简单的选项来设置通用自定义错误页面,或者在默认错误页面中禁用发送任何HTML以及错误代码,将是最好的。如果这两个选项都不可能,我有兴趣了解实现此功能的典型方法是(讨论/显示为什么这些假设选项不存在的积分,因为我似乎需要相当的标准对于在生产中使用Tomcat的任何人)。
Ideally, a simple option to set a universal custom error page, or to flat out disable sending any HTML along with the error code in the default error page, would be best. If neither of those options are possible, I'd be interested in finding out what the typical way to implement this functionality is (bonus points for discussing/showing why those hypothetical options don't exist, since it seems my requirement would be quite standard for anyone using Tomcat in production...).
推荐答案
< error-page> 是正确的答案,但您不想仅将所有错误代码重定向到一些通用消息。你必须考虑如何处理每个错误。如果你害怕你可能会错过其中一个代码,请查看 HttpServletResponse界面。
<error-page> is the right answer, but you don't want to just redirect all error codes to some generic message. You have to think about how you want to handle each error. If you're afraid you might miss one of the codes, check out the constants in the HttpServletResponse interface.
这篇关于减少Tomcat错误页面中的信息泄露的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
