I am planning on deploying an EAR application on JBoss 6 on Amazon available on the public web. I will need more than one instance but I do not need clustering and the ELB can do its job in my case. The OWASP security guidelines have been considered during development of the application. However, I have an issue with one OWASP principle: security by obscurity.
How can I conceal the fact that I am using JBoss? I have custom error pages and the ELB allows access only to the context path of my application, however, I am worried if JBoss reveals any Headers that are JBoss specific. Is it any safer to have Apache in front of JBoss in each instance using mod_jk or mod_proxy_ajp just to forward the requests (this is something I want to avoid if unnecessary)?
Regards
I found the solution.
This link explains how to remove the JBoss specific header.
Tomcat specific headers can also be removed as explained here and here.
Regards