Struts 2 Config Browser plugin enabled
Description
The Struts 2 Config Browser plugin is currently enabled in this web application. This plugin provides a web-based interface that displays the application's runtime configuration, including action mappings, interceptor stacks, and framework settings. While useful during development for debugging and configuration verification, this plugin exposes sensitive architectural details and should never be accessible in production environments.
Remediation
Remove the Config Browser plugin from the production deployment by deleting the struts2-config-browser-plugin-*.jar file from the /WEB-INF/lib directory. After removal, restart the application server to ensure the changes take effect. If the plugin is required for development purposes, implement the following controls:
1. Use separate build configurations for development and production environments to exclude the plugin JAR from production deployments
2. If the plugin must remain installed, restrict access using web application firewall rules or servlet filters that block requests to the config browser endpoints (typically /config-browser/*)
3. Verify the plugin has been successfully removed by attempting to access the config browser URL and confirming it returns a 404 error