With Grizzly at the heart of GlassFish since 2.x and offering great HTTP performance, I see a number of users simply go without any front web server (when network topologies allows for this). This would mean that GlassFish can be exposed directly on the internet. For security reasons (trying not to help hackers), it may be a good idea to not tell the world which server you are using. This is what a user has been recently asking on the forums.

By default, GlassFish returns two HTTP headers that may disclose that GlassFish is the server used:

% curl -I http://localhost:8080
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1

Both headers can be changed with GlassFish. Read on to see how to do so with version 3.0.1.

Let's start with "X-Powered-By". To change this you need to set the xpowered-by HTTP listener property to false (default is true to conform to the Servlet specification). To change this you can use the admin console (Configuration > Network Config > Network Listeners > http-listener-1 > HTTP). But you could also do it the CLI way using the dotted notation in a single command :

asadmin set server.network-config.protocols.protocol.http-listener-1.http.xpowered-by=false

You can also point your HTTP client to this RESTful admin URL: http://localhost:4848/management/dom...istener-1/http and emit a POST to change the xpowered-by property. With no restart required, you should now see the following complete HEAD response (no more X-Powered-By) :

% curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: GlassFish Server Open Source Edition 3.0.1
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:02:27 GMT

The second part, maybe the most important, is the "Server" HTTP header which can be both modified or removed altogether. This involves adding a Java property which means that changes made will require a server restart. The magic property is called product.name. Again, you could use the admin console to change this (Configuration > JVM Settings > JVM Options) or go the command-line route:

% asadmin create-jvm-options -Dproduct.name="My little server"
% asadmin restart-domain
Successfully restarted the domain
Command restart-domain executed successfully.
% curl -I http://localhost:8080
HTTP/1.1 200 OK
Server: My little server
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:20:16 GMT

Finally you can remove the "Server" header altogether by setting the property to an empty string :

% asadmin create-jvm-options -Dproduct.name=""
% asadmin restart-domain
Successfully restarted the domain
Command restart-domain executed successfully.
% curl -I http://localhost:8080
HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"5212-1259789398000"
Last-Modified: Wed, 02 Dec 2009 21:29:58 GMT
Content-Type: text/html
Content-Length: 5212
Date: Tue, 07 Sep 2010 10:20:36 GMT



Read More about [Chameleon GlassFish (X-Powered-By: and Server:)...