Spring Boot Hardening – Disclosed Version

The default configuration of Spring Boot tells quite a lot about errors and software versions used. This is a potential security leak and therefor should be avoided.

One step is to get rid of server information from header and default error pages.


With my suggested changes in place the default error result pages will look like this:

➜  ~ curl -i 
HTTP/1.1 404 
Content-Type: text/html;charset=utf-8
Content-Length: 79
Date: Mon, 01 Aug 2022 11:56:16 GMT
Server: disclosed

<!doctype html><html lang="en"><title>error</title><body>Ups! 404</body></html>


Open your application.yml or application.properties file and add the property server.server-header and set it to whatever you want to have in your header. In the sample above I simply used “disclosed”.


The default body also tells the server software name and version. With tomcat this can be removed with the sample above by adding the following classes:

import org.apache.catalina.Container;
import org.apache.catalina.core.StandardHost;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration(proxyBeanMethods = false)
public class ErrorConfig {

    // https://docs.spring.io/spring-boot/docs/2.5.4/reference/htmlsingle/#howto-use-tomcat-legacycookieprocessor
    // https://github.com/spring-projects/spring-boot/issues/21257#issuecomment-745565376
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> errorReportValveCustomizer() {
        return (factory) -> {
            factory.addContextCustomizers(context -> {
                final Container parent = context.getParent();
                if (parent instanceof StandardHost) {
                    // above class FQCN
                    ((StandardHost) parent).setErrorReportValveClass(CustomErrorReportValve.class.getName());

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ErrorReportValve;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
import org.springframework.http.MediaType;

import java.io.IOException;
import java.io.Writer;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.atomic.AtomicBoolean;

// Converting this to Kotlin results in this class not being used.
public class CustomErrorReportValve extends ErrorReportValve {

    protected void report(final Request request, final Response response, final Throwable throwable) {
        // ref: ErrorReportValve implementation

        final int statusCode = response.getStatus();

        // Do nothing on a 1xx, 2xx and 3xx status
        // Do nothing if anything has been written already
        // Do nothing if the response hasn't been explicitly marked as in error
        //    and that error has not been reported.
        if (statusCode < 400 || response.getContentWritten() > 0 || !response.setErrorReported()) {

        // If an error has occurred that prevents further I/O, don't waste time
        // producing an error report that will never be read
        final AtomicBoolean result = new AtomicBoolean(false);
        response.getCoyoteResponse().action(ActionCode.IS_IO_ALLOWED, result);
        if (!result.get()) {

        try {
            try {
            } catch (final Throwable t) {
                if (container.getLogger().isDebugEnabled()) {
                    container.getLogger().debug("status.setContentType", t);
            final Writer writer = response.getReporter();
            if (writer != null) {
                // If writer is null, it's an indication that the response has
                // been hard committed already, which should never happen
                writer.write("<!doctype html><html lang=\"en\"><title>error</title><body>Ups! " + statusCode + "</body></html>");
        } catch (IOException | IllegalStateException e) {
            // Ignore