Written on 1:04:00 PM by S. Potter
Continuing the series that looks at how to prevent information leakage, today we look at the information leakage from web server HTTP headers.
HTTP Header LeakageLet's look at the information potential hackers can get from HTTP headers from just a
GET /HTTP request. Let us look at http://www.cnn.com:
This example is pretty decent. What you want to look for is the
$ curl -I http://www.cnn.com HTTP/1.1 200 OK Date: Thu, 07 Feb 2008 15:22:32 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Thu, 07 Feb 2008 15:23:23 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html X-Pad: avoid browser bug Content-Length: 90458
ServerHTTP header value. In this case it is just "Apache". Now it does identify the web server used, but it doesn't pinpoint the version being used. Now I am going to try a popular Rails website:
In this case we can see what OS Apache is running on and the version of Apache. Not only this, but we see all the enabled modules in Apache and their respective versions. IMHO this is too much information especially considering this site supposedly (at least as far as I know) host the site on a fully controlled environment (either dedicated or VPS with root access). Applications on shared hosts cannot help this much without assistance from the shared hosting company. I have a couple of very small sites that get little traffic on a shared host, so I appreciate this obstacle. Moral of this story: If you have full control over your environment you should always either change the "Server" HTTP header to something generic (e.g. "Apache" as in the CNN example) or disable it from being returned to the client. This setting is very easy in Apache, LigHTTPd and NGinx. I assume this wouldn't be difficult in LiteSpeed either, but I do not have configuration experience with LiteSpeed. Apache configuration:
HTTP/1.1 200 OK Date: Thu, 07 Feb 2008 15:25:34 GMT Server: Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.8b DAV/2 PHP/5.1.4 SVN/1.3.2 mod_vd/2.0 mod_fastcgi/2.4.2 proxy_html/2.5 Last-Modified: Thu, 07 Feb 2008 14:58:58 GMT ETag: "4da437-36ac-b69b1080" Accept-Ranges: bytes Content-Length: 13996 Vary: Accept-Encoding Content-Type: text/html
Header unset Server
server.tag = ""
Also make sure there aren't any other headers that give away too much information. Especially look at the
X-HTTP headers. If you enjoyed this post Subscribe to our feed