GeoServer is packaged as a standalone servlet for use with existing application servers such as Apache Tomcat and Jetty.
GeoServer has been mostly tested using Tomcat, and so is the recommended application server. GeoServer requires a newer version of Tomcat (7.0.65 or later) that implements Servlet 3 and annotation processing. Other application servers have been known to work, but are not guaranteed.
Make sure you have a Java Runtime Environment (JRE) installed on your system. GeoServer requires a Java 11 or Java 17 environment,available from OpenJDK, Adoptium, or provided by your OS distribution.
For more information about Java and GeoServer compatibility, please see the section on Java Considerations.
Navigate to the GeoServer Download page.
Select the version of GeoServer that you wish to download. If you’re not sure, select Stable release.
Select Web Archive on the download page: geoserver-2.23-SNAPSHOT-war.zip
Download and unpack the archive.
Deploy the web archive as you would normally. Often, all that is necessary is to copy the
geoserver.warfile to the application server’s
webappsdirectory, and the application will be deployed.
A restart of your application server may be necessary.
Hide the Tomcat version in error responses and its error details.
To remove the Tomcat version, create following file with empty parameters
cd $CATALINA_HOME (where Tomcat binaries are installed) mkdir -p ./lib/org/apache/catalina/util/ cat > ./lib/org/apache/catalina/util/ServerInfo.properties <<EOF server.info= server.number= server.built= EOF
Additionally add to
server.xml the ErrorReportValve to disable showReport and showServerInfo. This is used to hide errors handled globally by tomcat in host section.
<Host name=... section this new ErrorReportValve entry:
... <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> ... <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" /> </Host> </Engine> </Service> </Server>
Why, if security by obscurity does not work?
Even though this is not the final solution, it at least mitigates the visible eye-catcher of outdated software packages.
Let’s take the attackers point of view.
Response with just HTTP status:
HTTP Status 400 – Bad Request
Ok, it looks like a Tomcat is installed.
Default full response:
HTTP Status 400 – Bad Request Type Status Report Message Invalid URI Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing). Apache Tomcat/7.0.67
Ahh, great, the software is not really maintained. Tomcat is far outdated from Dec. 2015 (6 years old as of today Jan. 2022) with a lot of unfixed vulnerabilities.
Notice: For support reason, the local output of version.sh still outputs the current version
$CATALINA_HOME/bin/version.sh ... Server number: 7.0.67 ...
Use your container application’s method of starting and stopping webapps to run GeoServer.
To access the Web administration interface, open a browser and navigate to
http://SERVER/geoserver . For example, with Tomcat running on port 8080 on localhost, the URL would be
If you see the GeoServer Welcome page, then GeoServer is successfully installed.
Update regularly at least the container application! And repeat the hardening process.
There are a lot of geoserver installations visible with outdated Tomcat versions.
Stop the container application.
Remove the GeoServer webapp from the container application’s
webappsdirectory. This will usually include the
geoserver.warfile as well as a