Suppressing Stack Traces on HTTP 500 Errors

posted by SpringSource on May 18, 2010 04:33 AM

Security Audits may identify issues with 500 errors, and require the stack traces to be suppressed.

By default when a 500 error (Internal Server Error) occurs in Tomcat it will display a full stack trace on the error page. This can give a hacker information about what technology is being used within the application. To control the error response, it is recommended to customize your own error reporting valve. The current error reporting valve is a good starting point and can be modified to meet your needs. To remove the stack trace element alone will mean removing two lines of code.

Here is the source to the current valve:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/ErrorReportValve.java?view=markup

The docs for how to configure it are:
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html

 

For more than 10 years, SpringSource employees have been supporting Apache technologies, with unparalleled experience and commitment to the Apache Software Foundation. More than 400 of the Fortune 500 count on SpringSource to support their mission-critical business applications. Leaders of the Apache Software Foundation, including Board Members, work at SpringSource and dedicate a significant amount of time further developing the Apache Tomcat open source project. Over the last 2 years, 95% of the issues fixed in the Apache Tomcat project were fixed by SpringSource engineers. For more information on how SpringSource can help your enterprise, see the SpringSource website, or call 800/444-1935.