The Codex of Business Writing Software for Real-World Solutions 2.pptx
Suppress WAS HTTP Headers
1. Suppressing HTTP Headers from
WebSphere Application Server
18 December 2013 Version 0.5
Dave Hay
IBM Software Services for WebSphere (ISSW)
david_hay@uk.ibm.com
+44 7802 918423
2. The Problem
●
Our client has identified a risk, in terms of
providing too much information to a potential
attacker, due to WebSphere Application Server
(WAS) returning it's version string in the HTTP
headers returned from a simple HTTPS
request.
3. This is what we see
●
This is from IBM BPM Standard 7.5.1.1
( Process Center )
4. This is how we resolve it
●
●
WAS includes the ability to override certain
HTTP headers.
Overrides include: ServerHeaderValue – Allows Server Header to be set to a
custom string
RemoveServerHeader – Allows Server Header to be
completed removed
●
This is documented in the Information Center
( see Bibliography )
9. Backup
●
●
The same “risk” has been identified with IBM
HTTP Server.
This can be mitigated by adding: AddServerHeader Off
ServerTokens Prod
ServerSignature Off
to the IHS httpd.conf file.
10. Bibliography
WAS 8.0 - Information Center - HTTP transport channel custom properties
WAS 7.0 – Information Center - HTTP transport custom properties
Apache Documentation - ServerSignature Directive
Apache Documentation - ServerTokens Directive
IHS Documentation - AddServerHeader Directive