- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Server Details - HTTP Header Information Security
Web servers often broadcast server information by default. This can include information such as the operating system (Linux, Windows, etc), the operating system version, what kind of web server you are running (IIS, Apache, etc.) and in some cases web server modules installed.
Why are HTTP Headers related to Server Information a Risk?
This information is stored in http headers, and sent along with every web page request made by a user visiting your page. As a result, it is very easy for anyone to find out what kind of settings such a server is using.
By itself, this information is harmless, although it does give away some information about your website setup. A dedicated attacker can use this information to find and craft attacks specific to your system, or automated attacks may search for specific configurations to attack. Although it is difficult to prevent someone from finding this information using other methods, disabling server headers reduces the likelihood of attacks on the site.
How Does this Impact my Security?
A dedicated attacker can find out this information in a variety of ways, most of which cannot be easily prevented. By itself, this information provides little value to an attacker.
The most common use of this kind of information is automated attacks which search on Google for specific server configurations known to be vulnerable, or to automate attacks known to work against setups similar to what is found on the site. Removing these values form the server header will prevent these types of automated attacks from occurring.
Solutions
Although it is not necessarily possible to completely prevent this knowledge from being discovered, it is possible to make it significantly more difficult for attackers. Each web server will require a different configuration change, but I provided the most common web server (Apache) configuration changes here. These changes will remove the HTTP headers which include server configuration and type information, increasing overall website security.
Modify Apache to prevent unwanted disclosure of server information:
To modify apache, there are a few steps which must be followed. You or a technical resource will need access to the Apache configuration file in the server, and a few moments to restart the web services after making a change.
- Navigate to your httpd.conf file. This is often located in /etc/httpd/conf or /etc/apache2 or /etc/apache.
- Open the config file using a text editor. On Unix systems, the most common one is vi (command: vi httpd.conf)
- Find the line including ServerTokens (if using vi, you can find this quickly by typing in /ServerTokens)
- If the line exists, update it to read ServerTokens Prod
- If the line does not exist, add it to the bottom of the file
- Make sure no other characters such as # (indicating a comment) are in front of the line
- Find a line including ServerSignature in the same file
- Update this line so it reads ServerSignature Off (Again, ensure no # sign)
- If the line does not exist, you can add it to the end of the file
- Save the configuration file (if in vi, the command is :wq)
- Restart apache. Typically httpd restart
Additional Resources
Find Insecure Settings on your Webserver
Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including application server setup. See how the Golem Scan can help your business today.
