Post on 12-May-2015
Suppressing HTTP Headers from WebSphere Application Server
18 December 2013 Version 0.5
Dave HayIBM Software Services for WebSphere (ISSW)
david_hay@uk.ibm.com+44 7802 918423
The Problem
● Our client has identified a risk, in terms of providing too much information to a potential attacker, due to WebSphere Application Server (WAS) returning it's version string in the HTTP headers returned from a simple HTTPS request.
This is what we see
● This is from IBM BPM Standard 7.5.1.1 ( Process Center )
This is how we resolve it
● WAS includes the ability to override certain HTTP headers.
● Overrides include: -
ServerHeaderValue – Allows Server Header to be set to a custom stringRemoveServerHeader – Allows Server Header to be completed removed
● This is documented in the Information Center ( see Bibliography )
How to set HTTP Headers - 1/2
How to set HTTP Headers - 2/2
OR
Example – Using ServerHeaderValue
Example – Using RemoveServerHeader
Backup
● The same “risk” has been identified with IBM HTTP Server.
● This can be mitigated by adding: -
AddServerHeader OffServerTokens ProdServerSignature Off
to the IHS httpd.conf file.
Bibliography
WAS 8.0 - Information Center - HTTP transport channel custom properties
WAS 7.0 – Information Center - HTTP transport custom properties
Apache Documentation - ServerSignature Directive
Apache Documentation - ServerTokens Directive
IHS Documentation - AddServerHeader Directive