remove server header tomcat

It should be possible since Tomcat 5.5. Check out this discussion: https://mail-archives.apache.org/mod_mbox/tomcat-users/200508.mbox/%[email protected]%3E and this link: https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html

Accordingly the following should set the server header to TEST. Empty should make it empty.

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8180" inProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" connectionTimeout="20000" useURIValidationHack="false" server="TEST"/>

Setting the Server header to Apache should security-wise be good enough in most cases. Just from that it won't be possible to infer which OS nor which exact version with which modules and the versions of the modules running.

You can modify your tomcat server.xml and add a "server" option and set it to whatever you want. The server option should be set for any http or ssl connectors that you have running. For example, below is a sample HTTP Connector configuration from an example server.xml file

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" enableLookups="false" xpoweredby="false" server="Web"/>

Short answer - you can't remove the header, but you should modify it (see other answers).

The server header is defined in the RFC and it is mandatory. (not defined as optional in the spec)

Taken from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38

14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request.
The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.

If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45).

  Note: Revealing the specific software version of the server might
  allow the server machine to become more vulnerable to attacks
  against software that is known to contain security holes. Server
  implementors are encouraged to make this field a configurable
  option.

if you are using embedded tomcat then you can try below code.

import org.apache.catalina.startup.Tomcat;

final Tomcat server = new Tomcat();
server.getConnector().setXpoweredBy(false);
server.getConnector().setAttribute("server", "");