默认情况下,嵌入式Tomcat的Spring Boot应用程序的HTTP“server”标头是:
Server → Apache-Coyote/1.1
如何在Spring Boot中实现使用另一个(自定义)“服务器”标头?
对于Tomcat本身,可以在< Connector>处配置它. XML中的元素通过服务器属性:
从https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Connectors开始:
The server attribute controls the value of the Server HTTP header. The default value of this header for Tomcat 4.1.x to 8.0.x is Apache-Coyote/1.1. This header can provide limited information to both legitimate clients and attackers.
但是攻击者仍然会知道这是一个Tomcat服务器.
最佳答案
您可以使用安全配置中的StaticHeadersWriter设置custom headers,这是一个Java配置示例:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.addHeaderWriter(new StaticHeadersWriter("Server","here to serve you"))
....
}
...
}
