The default configuration of Spring Boot tells quite a lot about errors and software versions used. This is a potential security leak and therefor should be avoided.
One step is to get rid of server information from header and default error pages.
Result
With my suggested changes in place the default error result pages will look like this:
➜ ~ curl -i http://127.0.0.1:5000
HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Length: 79
Date: Mon, 01 Aug 2022 11:56:16 GMT
Server: disclosed
<!doctype html><html lang="en"><title>error</title><body>Ups! 404</body></html>
Header
Open your application.yml or application.properties file and add the property server.server-header and set it to whatever you want to have in your header. In the sample above I simply used “disclosed”.
Body
The default body also tells the server software name and version. With tomcat this can be removed with the sample above by adding the following classes:
import org.apache.catalina.Container;
import org.apache.catalina.core.StandardHost;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration(proxyBeanMethods = false)
public class ErrorConfig {
// https://docs.spring.io/spring-boot/docs/2.5.4/reference/htmlsingle/#howto-use-tomcat-legacycookieprocessor
// https://github.com/spring-projects/spring-boot/issues/21257#issuecomment-745565376
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> errorReportValveCustomizer() {
return (factory) -> {
factory.addContextCustomizers(context -> {
final Container parent = context.getParent();
if (parent instanceof StandardHost) {
// above class FQCN
((StandardHost) parent).setErrorReportValveClass(CustomErrorReportValve.class.getName());
}
});
};
}
}
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ErrorReportValve;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
import org.springframework.http.MediaType;
import java.io.IOException;
import java.io.Writer;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.atomic.AtomicBoolean;
// Converting this to Kotlin results in this class not being used.
public class CustomErrorReportValve extends ErrorReportValve {
@Override
protected void report(final Request request, final Response response, final Throwable throwable) {
// ref: ErrorReportValve implementation
final int statusCode = response.getStatus();
// Do nothing on a 1xx, 2xx and 3xx status
// Do nothing if anything has been written already
// Do nothing if the response hasn't been explicitly marked as in error
// and that error has not been reported.
if (statusCode < 400 || response.getContentWritten() > 0 || !response.setErrorReported()) {
return;
}
// If an error has occurred that prevents further I/O, don't waste time
// producing an error report that will never be read
final AtomicBoolean result = new AtomicBoolean(false);
response.getCoyoteResponse().action(ActionCode.IS_IO_ALLOWED, result);
if (!result.get()) {
return;
}
try {
try {
response.setContentType(MediaType.TEXT_HTML_VALUE);
response.setCharacterEncoding(StandardCharsets.UTF_8.name());
} catch (final Throwable t) {
ExceptionUtils.handleThrowable(t);
if (container.getLogger().isDebugEnabled()) {
container.getLogger().debug("status.setContentType", t);
}
}
final Writer writer = response.getReporter();
if (writer != null) {
// If writer is null, it's an indication that the response has
// been hard committed already, which should never happen
writer.write("<!doctype html><html lang=\"en\"><title>error</title><body>Ups! " + statusCode + "</body></html>");
response.finishResponse();
}
} catch (IOException | IllegalStateException e) {
// Ignore
}
}
}