How to remove platform-related information from HTTP headers of TIBCO Spotfire Server responses

book

Article ID: KB0074693

calendar_today

Updated On:

Products	Versions
Spotfire Server	10.5 and lower

Description

Attackers can often use platform related information to more effectively target a system. As a possible scenario, attackers could look up known vulnerabilities existing for an identified version of the TIBCO Spotfire Server application and try to exploit.

Hence for security reasons, it may be required to hide the Apache Tomcat version information.

Note: This is done by default in versions 10.6 and higher, so no manual changes are needed for those versions.

Environment

All

Resolution

Below are the steps to be followed to hide Tomcat's version information on the TIBCO Spotfire Server:

Open a plain text editor to edit the server.xml file located within the conf directory on the TIBCO Spotfire Server machine (see Server.xml file for more detail)
Add the following lines just before the </host> entry within the server.xml file:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
            showReport="false"
                showServerInfo="false" />

Save and close the file.
Restart the Spotfire Server.

Issue/Introduction

This article explains how to remove platform related information from the HTTP headers of the TIBCO Spotfire Server responses as part of security requirements

Additional Information

Doc: Server.xml file

https://docs.tibco.com/pub/spotfire_server/10.3.3/doc/html/TIB_sfire_server_tsas_admin_help/GUID-B6673242-CEEF-424A-B566-8DB8E834F856.html

Doc: Manually editing the server.xml file

https://docs.tibco.com/pub/spotfire_server/10.3.3/doc/html/TIB_sfire_server_tsas_admin_help/GUID-6EEA65AC-2200-42BD-9F23-7E83F9C7E2D9.html

Feedback

thumb_up Yes

thumb_down No

Welcome to "KB Articles"