Java Servlet 3.0 spec advises to expose X-Powered-by. Isn't this a security bad practice?

Question

Reading the Servlet 3.0 spec, I came across the following and wonder if that's really the recommended thing to do. I remember coming across advice to NOT include this info for security reasons:

It is recommended that containers use the X-Powered-By HTTP header to publish its implementation information. The field value should consist of one or more implementation types, such as "Servlet/3.0". Optionally, the supplementary information of the container and the underlying Java platform can be added after the implementation type within parentheses. The container should be configurable to suppress this header. Here's the examples of this header:

X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish v3 JRE/1.6.0)

For example, here, it's argued against this practice. I once used a tool to analyze my website for potential problems and it came back with a security warning and a recommendation to remove the X-Powered-By headers.

Answer 1

I generally wouldn't put the Servlet container directly on the internet either; that's what I use a reverse proxy for (and load balancing).

To answer your question; I don't think security through obscurity is a particularly "good" security practice.

Answer 2

Security through obscurity is a 'Layer' of security. As it pertains to this situation, it is better to hide that header rather than leave it exposed. There are automated tools, scanners, bots etc that will look for certain server response headers. If the right conditions are met, the tool/bot will often perform additional functions including sending exploits to the host. By simply hiding headers, you may just prevent those and other types of attacks. Granted, a vulnerable application is still a vulnerable application. Anyway... point being, it is advised to remove those headers. Security has to be implemented in layers and preventing the footprinting of your application's underlying framework is the first of many steps to protect it.