I just stumbled upon a paper on JSF security containing the following statement:
In Suns RI JSF implementation, the "com.sun.faces.disableVersionTracking" conguration parameter is defined explicitly. By default, it is set to false which means application running on the web server will throw the JSF version into the response headers when the web client queries for it
But I don't understand how the web client is supposed to query for it? Is there a way to put extra (header) parameters to a request which makes JSF more chatty? I'm using MyFaces as the JSF implementation.
That phrase is poorly written. Clients can't specifically query for JSF application version information. In fact, this is returned to every single HTTP request sent by the client. The JSF version information is set as X-Powered-By response header.
Basically, you should read "queries" as "sends a HTTP request".