Despite moving on to JBoss progressively I still share my findings, often they apply to other products too.
For a public facing server you want to reveal as little background information as possible. In Glassfish you can hide create custom 404 and 500 error pages (previous post), but you should also hide the server info that comes with the server header, easily revealed by a tool ike the Firefox plugin httpfox.
There are 2 crucial settings you must change:
- JVM setting for product name: -Dproduct.name=”My App Server”
- Remove the “XPowered By” flag
As result you will have a pretty generic response header