Hide Server Banner and Product Info from HTTP Header

Updated on:

Overview

Probably one of the first tasks to do while setting up the production environment is to mask the Apache (or) IHS (IBM HTTP Server) version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS compliant application.

 

Affected versions

IHS 7.x

IHS 8.x

Apache HTTPD Servers

 

Solution

  • Login to Apache or IHS server
  • Take a backup of the configuration file
  • Add the following three directives in httpd.conf file of your IHS (or) Apache HTTPD

 

AddServerHeader Off
ServerTokens Prod
ServerSignature Off
  • Save the file and restart the IHS or HTTPD

 

Cheers

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

More from Middleware Inventory

  • How to install IBM HTTP Server and Websphere Plugin - IBM Installation Manager

    This post gives the screenshots and steps to install the IBM HTTP server and WebSphere plugin. Step1: Launch the Installation Manager and add the Diskconfig  files using the File --> Preferences tab in the Installation Manager Step2: Add a repository using Add Repository Button  and install the Packages using the…

  • Disable WebServer Banner Apache/IHS

    Overview Don’t display or send Apache version (Set ServerTokens) By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number. Apache can reveal information by default configuration,…

  • weblogic server status script - WLST

    A Small and Simple script to get all the server status from the weblogic domain, Including AdminServer & Managed Server. The Jython Script How to Execute this script Copy the preceding script content to a file, let's say /tmp/get_wls_serverstate.py cd domain/bin . ./setDomainEnv.sh java weblogic.WLST /tmp/get_wls_serverstate.py Script Output  Hope this…

  • Internal Server Error while starting the Weblogic Server using RESTful API

    When you are trying to start the Managed server using weblogic management REST API ,  sometimes you get Internal Server Error but the server will be started though.   Issue snippet:   [email protected]:/apps/oracle-weblogic/domains/mwidomain/bin$ curl -v \ > --user weblogic:weblogic1 \ > -H Content-Type:application/json \ > -H Host:localhost \ > -H…

  • Disabling IIS Web Banner And Other IIS Headers

    Overview            Microsoft IIS loves to tell the world that a website runs on IIS. It does so with the Serverheader in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information…