Tomcat server.xml configuration not hiding version number

Good morning!

We have been working on mitigating a bunch of security issues that were found during the last pentesting session and one of them was exposing the Tomcat version on the Apache error page.

To fix it, I edited the Tomcat configuration file located inside the project under the path conf/server.xml and added the following line under the “Host” tag

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

However, when I restart the tomcat in my local machine and take a look at the server.xml generated inside the target folder I see that the line is now gone and therefore it keeps showing the Tomcat version.

Is there another configuration file that I need to edit that I failed to identify?

Thanks in advance.

You mean locally starting with cargo? I’m fairly confident that the server.xml in cargo is a default one with the tomcat image. I don’t think the one in your project is even included in the dist file. For local you’d have to change the cargo profile to include your server.xml. For the dist you’d have to adjust the conf-component.xml. However, this file is usually under control of ops and not dev. So it makes more sense to not manage this in the project.

Yes, I am aware that it is usually managed by ops but I wanted to make sure it was the correct setting to apply (and it is!).

Thank you!