Was looking through some of the web server vulnerability problems again. Most of the servers do send the server name in the http response. In case you have any livehttpheaders or IEhttpheaders, the response from any of the Application servers can be checked and most of them would contain the server name and probably version as well.
Here is how you can turn it off in some app servers
In Pramati Server, changing value of display-server-name in-header tag to false in web-config.xml would do the trick.
To prevent a WebLogic Server instance from sending its name and version number, disable the Send Server Header attribute in the Administration Console. The attribute is located on the Server —>ServerName —>Configuration —>Protocols —>HTTP tab.
A new environment variable, SERVER_TOKEN_OFF, has been added to
WebSphere Application Server for z/OS v4.0.1 that suppresses Server header in the response
Apache webserver you can turn this off by setting ServerTokens option to prod. This does not eliminate the server name just removes the version of the Apache server.
Wednesday, June 13, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment