Remove the HTTP ‘Server’ response header

  • KM01250806
  • 13-Nov-2014
  • 13-Nov-2014


This document provides clarification on how to remove the HTTP ‘Server’ response header returned for all requests


ALM runs on the Jetty server container that allows it to serve http requests. By default, the container plants the http ‘Server’ header in each response. This header contains the name of the container (Jetty) as well as its exact version.


The 'Server' header is optional. Jetty can be reconfigured so that the header is not included in out server’s responses. This requires a simple change in jetty.xml configuration file.

  1. The file is located (in windows) under C:\ProgramData\HP\ALM\server\conf  (In Linux ProgramData == /var/opt/)

a.       In 12.20 the property appears under HttpConfiguration sections. For example:

     <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Set name="secureScheme">https</Set>
        <Set name="securePort"><Property name="" default="8443" /></Set>
        <Set name="outputBufferSize">32768</Set>
        <Set name="requestHeaderSize">8192</Set>
        <Set name="responseHeaderSize">8192</Set>
        <Set name="sendServerVersion">true</Set>
        <Set name="sendDateHeader">false</Set>
        <Set name="headerCacheSize">512</Set>

       <Call name="addCustomizer">
          <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>


b.       In 11.52 and 12.00, the property appears directly under the root Server configuration section. For example:

  <Configure id="Server" class="org.eclipse.jetty.server.Server">
    <Set name="stopAtShutdown">true</Set>
    <Set name="sendServerVersion">true</Set>
    <Set name="sendDateHeader">true</Set>
    <Set name="gracefulShutdown">1000</Set>
    <Set name="dumpAfterStart">false</Set>
    <Set name="dumpBeforeStop">false</Set>

       2.     Add or modify the sendServerVersion property to false

       3.     Restart ALM service