How to Change the Default Server HTTP Error Responses
Suite webserver is configured with a custom error page, which by default handles errors at the application and context levels. Errors that occur at the server level display default error pages. These pages show the server version and part of the stack trace, which poses a risk.
This article disables the Apache Tomcat server detailed HTTP server responses by adding configuration attributes to the server.xml file. The $CATALINA_BASE/conf/server.xml is the main configuration file. It is divided into several categories such as Top Level Elements, Executors, Connectors, Containers, and Nested Components. These categories contain configuration attributes that let you adjust the Apache Tomcat server’s functionality.
How to prevent a detailed HTTP error response when sending special characters
By default, when special characters such as []/{}\`”> are added to the URL, the Tomcat server returns a 400 response that reveals information about the server, as in the image.
To solve this error, add the following properties to the HTTP Connector element in the server.xml file.
· relaxedPathChars = '[]|{}^\`">'
· relaxedQueryChars='[]|{}^\`">'
For example, enter the following statement in a single line:
<Connector connectionTimeout=”20000” port=”8080” protocol=”HTTP/1.1” redirectPort=”8443” relaxedPathChars='[]|{}^\`">' relaxedQueryChars='[]|{}^\`">'
How to prevent a detailed HTTP error response when sending a long parameter
By default, when a long parameter is sent, the Tomcat server returns a 400 response that reveals information about the server, as in the image.
To solve this error, add maxHttpHeaderSize to the HTTP Connector element in the server.xml file. maxHttpHeaderSize is the maximum allowed size of the request and response HTTP headers in bytes. Its default value is 8192B (8kB).
How to configure HTTP error responses with ErrorReportValve
ErrorReportValve is a simple error handler for HTTP status codes that generates and returns HTML error pages. You can configure ErrorReportValve on the server.xml file to avoid showing default error pages when an error at the server level occurs. The syntax is as follows:
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
Note: When you disable both showServerInfo and showReport, only the HTTP status code is returned.
ErrorReportValve configuration attributes are described in the following table:
Attribute |
Description |
---|---|
className |
The Java class name of the implementation to use. To use the default error report valve, set it to org.apache.catalina.valves.ErrorReportValve |
showReport |
Flag to determine if the error report (custom error message and/or stack trace) is presented when an error occurs. If set to false, then the error report is not returned in the HTML response. Default value: true. |
showServerInfo |
Flag to determine if server information is presented when an error occurs. If set to false, then the server version is not returned in the HTML response. Default value: true. |