How can configure Glassfish server 5.1 not to disclose environment information

Question

We recently performed a PCI scan and one of the suggestion was that environment information shouldn't be disclosed. Does anyone have idea how to configure Glassfish server not disclose the server information.

Answer 1

I assume that you are referring to settings in the response headers. If so, you need to make three configuration changes, so start Glassfish and open its Administration Console. That's http://localhost:4848 in my case, but you may have something different.

Change 1:

• Select Configurations > server-config > JVM Settings, then click the JVM Options tab.
• Click the Add JVM Option button. Add the option -Dproduct.name=_{server} where {server} can be whatever you want, including an empty string. I chose -Dproduct.name=AnonymousServer. Click Save. The value you specify will be set in the Server field of the response header.

Change 2:

• Select Configurations > server-config > Network Config > Network Listeners > http-listener-1, then click the HTTP tab in the right panel.
• Scroll down and uncheck the XPowered By: field and click Save.
• This will exclude the X-Powered-By field from the response header.

Change 3:

• Repeat Change 2 above, but select http-listener-2 (security enabled) instead of http-listener-1 (security not enabled).

Finally, restart Glassfish, then connect to your application in a browser or a tool such as Postman, and verify that the response headers have changed. For example, here are before and after shots for a simple web application in Firefox, using its browser's developer tools. They show that after the configuration changes and restart:

• There is no longer an X-Powered-By response header field.
• The server name has been changed (to AnonymousServer in my case) in the Server field.

Before the changes:

After the changes: