2.7 Ensure Sever Header is Modified To Prevent Information Disclosure

Information

The server header is a vanity header developed to help identify the underlying technology in a server for troubleshooting and identification. This header is unnessesary and could be used to target your website for exploitation. Tomcat does not provide the ability to remove the server header, however, it does provide the ability to modify the header.

Rationale:

The server header may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers.

While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers from targeting your website.

Solution

In $CATALINA_HOME/conf/server.xml, add the server directive to the connector as shown below replacing apache with the text of your choosing. This text should not help in identifying the server.

<Connector port='8443' server='I am a teapot' redirectPort='8080' />

Scripted:

If you do not have the header defined:

sed -ir 's/Connector/Connector server='I am a teapot'/g' $CATALINA_HOME/conf/server.xml

If you already have a header but it is still revealing

sed -ir 's/server='[^']*'/server='I Am A Teapot'/g' $CATALINA_HOME/conf/server.xml

Default Value:

The default value is Apache-Coyote/1.1.

References:

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#server.xml

https://stackoverflow.com/questions/52637285/replacing-server-header-in-tomcat-with-sed

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv7|13.2

Plugin: Unix

Control ID: 1a1d2e8f7a90fccc749901a1ce9825022861f6eaddd59c6f3d6b442471f07a8c