As per the security of web application x-power-by should set to empty when it displays in response header.. In our application we did this by implementing a filter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
            ServletException {
    // App specific logic...
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    httpResponse.setHeader("X-Powered-By","");
    chain.doFilter(request, response);
 httpResponse.setHeader("X-Powered-By"," ");
}

It is showing blank value in response header for x-power-by when hitting the URL, That's well and good but in our application when we hit the URL with query string appended with the URL then for the first request it shows :

x-power-by= JSF1.2

We have also commented out the below portion of x-power-by in web.xml as our application use jboss 5.0.1.

<filter>
      <filter-name>CommonHeadersFilter</filter-name>
      <filter-class>
         org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
         <!--
      <init-param>
         <param-name>X-Powered-By</param-name>
         <param-value>Servlet 2.5; JBoss-5.0/JBossWeb-2.1</param-value>
      </init-param>
      -->
   </filter>

But doing all the two things mention above I am getting x-power-by displayed in the response header when I hit the URL with query string appended for the 1st time.

URL like: https://example.com?html="abcd",p_ab="shdhsgdhs"

Don't know how to resolve it,any help is highly appreciated.

1) Add following entry to your application web.xml.

<context-param> 
<param-name>com.sun.faces.sendPoweredByHeader</param-name> 
<param-value>false</param-value> 
</context-param>

2) I don't think you need any filter to overwrite this header (based on jboss documentation).