"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Suppressing http headers from web sphere application server
1. Suppressing HTTP Headers from
WebSphere Application Server
18 December 2013 Version 0.5
Dave Hay
IBM Software Services for WebSphere (ISSW)
david_hay@uk.ibm.com
+44 7802 918423
2. The Problem
●
Our client has identified a risk, in terms of
providing too much information to a potential
attacker, due to WebSphere Application Server
(WAS) returning it's version string in the HTTP
headers returned from a simple HTTPS
request.
3. This is what we see
●
This is from IBM BPM Standard 7.5.1.1
( Process Center )
4. This is how we resolve it
●
●
WAS includes the ability to override certain
HTTP headers.
Overrides include: ServerHeaderValue – Allows Server Header to be set to a
custom string
RemoveServerHeader – Allows Server Header to be
completed removed
●
This is documented in the Information Center
( see Bibliography )
9. Backup
●
●
The same “risk” has been identified with IBM
HTTP Server.
This can be mitigated by adding: AddServerHeader Off
ServerTokens Prod
ServerSignature Off
to the IHS httpd.conf file.
10. Bibliography
WAS 8.0 - Information Center - HTTP transport channel custom properties
WAS 7.0 – Information Center - HTTP transport custom properties
Apache Documentation - ServerSignature Directive
Apache Documentation - ServerTokens Directive
IHS Documentation - AddServerHeader Directive