I've done a bit of looking -- both on-line and in the XML configuration files for Tomcat -- and come up empty: how does one completely disable handling of REST requests in CF10?
We aren't currently using it, and in a couple of recent security scans, it has come back as a potential information disclosure vulnerability because the server response includes server version information in the returned headers. I'd like to completely disable it until we actually need it. As best I can tell, HTTP requests for anything that begins with "/rest" are automatically handled as REST requests.
In wading around in the various XML configuration files, the only reference I came across that appeared relevant was in ./WEB-INF/Axis2.xml; there's a parameter in there with the following comment down around line 95:
<!-- Following parameter will completely disable REST handling in Axis2-->
<parameter name="disableREST" locked="false">false</parameter>
Toggling that and bouncing the server didn't have any impact on the server's response to a REST request.
We see this behavior on our dev boxes running CF10 in standalone mode with just Tomcat and on our production boxes which are Windows 2008 and IIS 7.5, if that matters -- ideally, we will need to address this for both environments.
Thanks in advance, and any guidance would be greatly appreciated.
--
/ron
2
Replies
AdChoices