STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-222957

CAT III (Low)

xpoweredBy attribute must be disabled.

Rule ID

SV-222957r960963_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000381

Discussion

Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass Tomcat server info to clients.

Check Content

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby.

If any connector elements contain xpoweredBy="true", this is a finding.

Fix Text

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each <Connector> </Connector> element, if the element contains xpoweredBy="true", modify the statement to read ", xpoweredBy="false".

sudo systemctl restart tomcat
sudo systemctl daemon-reload