Upcoming SlideShare
-
Full NameComment goes here.Delete Reply Block
-
Freda ClaptonYou have to choose carefully. ⇒ www.HelpWriting.net ⇐ offers a professional writing service. I highly recommend them. The papers are delivered on time and customers are their first priority. This is their website: ⇒ www.HelpWriting.net ⇐Reply -
glycamsarsigh81Dating direct: ♥♥♥ http://bit.ly/39sFWPG ♥♥♥Reply
Suppressing http headers from web sphere application server
- 1. Suppressing HTTP Headers from WebSphere Application Server 18 December 2013 Version 0.5 Dave Hay IBM Software Services for WebSphere (ISSW) david_hay@uk.ibm.com +44 7802 918423
- 2. The Problem ● Our client has identified a risk, in terms of providing too much information to a potential attacker, due to WebSphere Application Server (WAS) returning it's version string in the HTTP headers returned from a simple HTTPS request.
- 3. This is what we see ● This is from IBM BPM Standard 7.5.1.1 ( Process Center )
- 4. This is how we resolve it ● ● WAS includes the ability to override certain HTTP headers. Overrides include: ServerHeaderValue – Allows Server Header to be set to a custom string RemoveServerHeader – Allows Server Header to be completed removed ● This is documented in the Information Center ( see Bibliography )
- 5. How to set HTTP Headers - 1/2
- 6. How to set HTTP Headers - 2/2 OR
- 7. Example – Using ServerHeaderValue
- 8. Example – Using RemoveServerHeader
- 9. Backup ● ● The same “risk” has been identified with IBM HTTP Server. This can be mitigated by adding: AddServerHeader Off ServerTokens Prod ServerSignature Off to the IHS httpd.conf file.
- 10. Bibliography WAS 8.0 - Information Center - HTTP transport channel custom properties WAS 7.0 – Information Center - HTTP transport custom properties Apache Documentation - ServerSignature Directive Apache Documentation - ServerTokens Directive IHS Documentation - AddServerHeader Directive