Suppressing HTTP Headers from
WebSphere Application Server
18 December 2013 Version 0.5
Dave Hay
IBM Software Services for...
The Problem
●

Our client has identified a risk, in terms of
providing too much information to a potential
attacker, due t...
This is what we see
●

This is from IBM BPM Standard 7.5.1.1
( Process Center )
This is how we resolve it
●

●

WAS includes the ability to override certain
HTTP headers.
Overrides include: ServerHeader...
How to set HTTP Headers - 1/2
How to set HTTP Headers - 2/2

OR
Example – Using
ServerHeaderValue
Example – Using
RemoveServerHeader
Backup
●

●

The same “risk” has been identified with IBM
HTTP Server.

This can be mitigated by adding: AddServerHeader O...
Bibliography
WAS 8.0 - Information Center - HTTP transport channel custom properties
WAS 7.0 – Information Center - HTTP t...
Upcoming SlideShare
Loading in …5
×

Suppressing http headers from web sphere application server

7,036 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,036
On SlideShare
0
From Embeds
0
Number of Embeds
1,724
Actions
Shares
0
Downloads
50
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Suppressing http headers from web sphere application server

  1. 1. Suppressing HTTP Headers from WebSphere Application Server 18 December 2013 Version 0.5 Dave Hay IBM Software Services for WebSphere (ISSW) david_hay@uk.ibm.com +44 7802 918423
  2. 2. The Problem ● Our client has identified a risk, in terms of providing too much information to a potential attacker, due to WebSphere Application Server (WAS) returning it's version string in the HTTP headers returned from a simple HTTPS request.
  3. 3. This is what we see ● This is from IBM BPM Standard 7.5.1.1 ( Process Center )
  4. 4. This is how we resolve it ● ● WAS includes the ability to override certain HTTP headers. Overrides include: ServerHeaderValue – Allows Server Header to be set to a custom string RemoveServerHeader – Allows Server Header to be completed removed ● This is documented in the Information Center ( see Bibliography )
  5. 5. How to set HTTP Headers - 1/2
  6. 6. How to set HTTP Headers - 2/2 OR
  7. 7. Example – Using ServerHeaderValue
  8. 8. Example – Using RemoveServerHeader
  9. 9. Backup ● ● The same “risk” has been identified with IBM HTTP Server. This can be mitigated by adding: AddServerHeader Off ServerTokens Prod ServerSignature Off to the IHS httpd.conf file.
  10. 10. Bibliography WAS 8.0 - Information Center - HTTP transport channel custom properties WAS 7.0 – Information Center - HTTP transport custom properties Apache Documentation - ServerSignature Directive Apache Documentation - ServerTokens Directive IHS Documentation - AddServerHeader Directive

×