- ETags from Web servers are also considered an information leakage vulnerability on web-server.
- Apache (httpd.conf & ssl.conf)
- Enable "LoadModule headers_module modules/mod_headers.so"
*************************************************************
LoadModule headers_module modules/mod_headers.so
Header unset Server
Header unset Etag
ServerSignature Off
ServerTokens Prod
TraceEnable off
*************************************************************
To test: curl –I http://ipAddressOrHostName:port
Disable X-Powered-By on (apache-Web / IBM HTTP Server).
- As the "x-powered-by: jsp/2.2" version is provided by application servers, that can be mitigated on Web-server also.
- Apache (httpd.conf & ssl.conf)
- Enable "LoadModule headers_module modules/mod_headers.so"
*************************************************************
LoadModule headers_module modules/mod_headers.so
Header always unset "X-Powered-By"
Header unset "X-Powered-By"
*************************************************************
To test: curl –I http://ipAddressOrHostName:port
Thanks 😊
No comments:
Post a Comment