Disable stacktraces in Tomcat's error pages to make it ready for production

security tomcat

Solution 1:

The error page is generated by a simple error handler, the Error Report Valve. You can hide stack traces (showReport) as well as the server info by adding these lines to your server.xml's Host section:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
    showReport="false" 
    showServerInfo="false" />

Another solution is to use custom, user friendly error pages for every HTTP error code:

<error-page>
    <error-code>500</error-code>
    <location>/error500.jsp</location>
</error-page>

as well as for every different Throwable:

<error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/error-Exception.jsp</location>
</error-page>

<error-page>
    <exception-type>java.sql.SQLException</exception-type>
    <location>/error-SQLException.jsp</location>
</error-page>

Related

What does --memory-reservation flag do in practice?
Can I trace a RabbitMQ consumer to a remote host?
How can i test my SAS Controller card? [closed]
Ubuntu: /dev/sdb1 is apparently in use by the system; will not make a filesystem here
Nagios - 'Error: Could not open config directory' but permissions are correct and selinux is permissive
mkfs fails complaining that: "/dev/sdb is apparently in use by the system; will not make a filesystem here"
How to use SMB Multichannel over VPN?
Very slow SMB speeds on macOS
custom dnsmasq (or custom options) with libvrt?
OpenLDAP client inside a docker container
How to create hyperlink to call phone number on mobile devices?
What is the Difference Between read() and recv() , and Between send() and write()?