Sep 19, 2018

How to remove X-Powered-By on Glassfish server

In domain/config/default-web.xml file, you’ll need to set the servlet’s xpoweredBy init-param to false.
<servlet>
    <servlet-name>jsp</servlet-name>
    <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
    <init-param>
      <param-name>xpoweredBy</param-name>
      <param-value>true</param-value>
    </init-param>
</servlet>

Or from command line:
glassfish3/bin/asadmin set  server.network-config.protocols.protocol.http-listener-2.http.xpowered-by=false
glassfish3/bin/asadmin set  server.network-config.protocols.protocol.http-listener-1.http.xpowered-by=false

Please be advised that we need to set both http-listener-1 and http-listener-2 if you want to get rid of it both on http and https.

You don't need to restart domain to take effect.
To verify:
glassfish3/bin/asadmin get  server.network-config.protocols.protocol.http-listener-2.http.*

curl -kv https://localhost > /dev/null

To get all xpowered-by values:

glassfish3/bin/asadmin get "*" | grep xpowered
configs.config.default-config.network-config.protocols.protocol.admin-listener.http.xpowered-by=true
configs.config.default-config.network-config.protocols.protocol.http-listener-1.http.xpowered-by=true
configs.config.default-config.network-config.protocols.protocol.http-listener-2.http.xpowered-by=true
configs.config.server-config.network-config.protocols.protocol.http-listener-2.http.xpowered-by=false
configs.config.server-config.network-config.protocols.protocol.admin-listener.http.xpowered-by=true
configs.config.default-config.network-config.protocols.protocol.sec-admin-listener.http.xpowered-by=true
configs.config.server-config.network-config.protocols.protocol.sec-admin-listener.http.xpowered-by=true

configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.xpowered-by=false

See also:


Posts