For all of my ORDS demos, I’m running it as a standalone process. There’s no Tomcat or Apache involved – and that’s OK. Your needs may require otherwise, and that’s OK too.
When running in a standalone configuration like this, ORDS’ HTTP(S) functionality is being delivered by an embedded Jetty web server. Jetty is an Eclipse project. Very cool stuff – used by LOTS of solutions out there.
Anyhow, a customer asked:
Can we hide Jetty version in the header response ?
which is :
Server : Jetty(9.2.z-SNAPSHOT)
Or in other words, they’re not a big fan of THIS
Security by obscurity – maybe you don’t want to advertise that you’re running Jetty.
Ok, so how do we make that go away?
Thankfully it’s pretty easy.
The ETC\JETTY XML Config File
In your ORDS-INSTALL-HOME\standalone directory, create a subdirectory ‘etc’
Then in THAT directory, create an jetty-http.xml file.
Then in THAT file, add these lines
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> <Configure id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Set name="sendServerVersion">false</Set> </Configure>
Refresh your ORDS request, check the response header.
There’s a TON of Jetty Config Options Available
Kris has talked about a few of them before. For example, this post on how to enable Access logs for Jetty pretty much told me HOW to do this post today.
Ok, so what else can I change?