WAS | How to disable server name header

WebSphere - How to disable server name header

Test Version

• Test OS : CentOS 7.2
• Test WAS : WebSphere v8.5

X-Powered-By disable setting

• 보안 취약점 사항

• IBM HTTPServer (apache)
  This can be mitigated by adding (httpd.conf):

AddServerHeader Off
ServerTokens Prod
ServerSignature Off

• WebSphere
  v8.5.0.2 이하 버전에서는 두가지 옵션으로 server version 노출을 방지.

• ServerHeaderValue :
  Use the ServerHeaderValue property to replace the default value of the Server header that is added to all outgoing HTTP responses by server if a Server header does not already exist. The default value for the Server header is WebSphere Application Server v/x.x, where x.x is the version of WebSphere Application Server that is running on your system.

• RemoveServerHeader :
  Use the RemoveServerHeader property to force the removal of any server header from HTTP responses that the application server sends, thereby hiding the identity of the server program.

setting link : https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rrun_chain_httpcustom.html

Starting with Version 8.5.0.2, a Server header is no longer automatically added to all outgoing HTTP responses if a Server header does not already exist. If you add this property with a value, that value is included in the Server header that appears in the response. If you specify the value DefaultServerValue, WebSphere Application Server v/x.x is used as the Server header value.