12 - Remove and mask informational headers - JSP Configuration

Information

When a resource is requested from the Web Connector via HTTP, the response contains headers with information about the server which generated the response.

This information can help an attacker to quickly identify which version you are running and consequently tune the attack attempts specifically for your software instance.

Solution

In order to hide or mask these headers we can set up the web subsystem with the following:

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="example.com" native="false">
<connector>
....
</connector>
<virtual-server name="example.com" enable-welcome-root="false">
....
</virtual-server>
<configuration>
<jsp-configuration x-powered-by="false"/>
</configuration>
</subsystem>

See Also

https://docs.jboss.org/author/display/AS72/Hardening+Guidelines

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30

Plugin: Unix

Control ID: dc1ea9a040f6beeb9408380a634b493e935832a6c5be960e3d7376afb6b81c01