Suppressing http headers from web sphere application server
Click here to load reader
-
Upload
dave-hay -
Category
Technology
-
view
3.786 -
download
4
Transcript of Suppressing http headers from web sphere application server
![Page 1: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/1.jpg)
Suppressing HTTP Headers from WebSphere Application Server
18 December 2013 Version 0.5
Dave HayIBM Software Services for WebSphere (ISSW)
[email protected]+44 7802 918423
![Page 2: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/2.jpg)
The Problem
● Our client has identified a risk, in terms of providing too much information to a potential attacker, due to WebSphere Application Server (WAS) returning it's version string in the HTTP headers returned from a simple HTTPS request.
![Page 3: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/3.jpg)
This is what we see
● This is from IBM BPM Standard 7.5.1.1 ( Process Center )
![Page 4: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/4.jpg)
This is how we resolve it
● WAS includes the ability to override certain HTTP headers.
● Overrides include: -
ServerHeaderValue – Allows Server Header to be set to a custom stringRemoveServerHeader – Allows Server Header to be completed removed
● This is documented in the Information Center ( see Bibliography )
![Page 5: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/5.jpg)
How to set HTTP Headers - 1/2
![Page 6: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/6.jpg)
How to set HTTP Headers - 2/2
OR
![Page 7: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/7.jpg)
Example – Using ServerHeaderValue
![Page 8: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/8.jpg)
Example – Using RemoveServerHeader
![Page 9: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/9.jpg)
Backup
● The same “risk” has been identified with IBM HTTP Server.
● This can be mitigated by adding: -
AddServerHeader OffServerTokens ProdServerSignature Off
to the IHS httpd.conf file.
![Page 10: Suppressing http headers from web sphere application server](https://reader037.fdocuments.us/reader037/viewer/2022100323/55514916b4c905bd1c8b5216/html5/thumbnails/10.jpg)
Bibliography
WAS 8.0 - Information Center - HTTP transport channel custom properties
WAS 7.0 – Information Center - HTTP transport custom properties
Apache Documentation - ServerSignature Directive
Apache Documentation - ServerTokens Directive
IHS Documentation - AddServerHeader Directive