Despite moving on to JBoss progressively I still share my findings, often they apply to other products too.
For a public facing server you want to reveal as little background information as possible. In Glassfish you can hide create custom 404 and 500 error pages (previous post), but you should also hide the server info that comes with the server header, easily revealed by a tool ike the Firefox plugin httpfox.
Response Header
There are 2 crucial settings you must change:
- JVM setting for product name: -Dproduct.name=”My App Server”
JVM Settings
- Remove the “XPowered By” flag
XPowered By
As result you will have a pretty generic response header
Response Header
The JavaDude Weblog 