12 - Remove and mask informational headers - Server Property Override

Information

When a resource is requested from the Web Connector via HTTP, the response contains headers with information about the server which generated the response.

This information can help an attacker to quickly identify which version you are running and consequently tune the attack attempts specifically for your software instance.

Solution

You should mask the 'Server:' value in the header. By default this header shows the version of our servlet container.

In order to remove it we can set up a global property in this way:

<system-properties>
....
<property name="org.apache.coyote.http11.Http11Protocol.SERVER" value="SuperSecureServer"/>
....
</system-properties>

See Also

https://docs.jboss.org/author/display/AS72/Hardening+Guidelines

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30

Plugin: Unix

Control ID: ebdb822576becc070ce73a89ae9dccffe015d059067aa1a7e09311c40fca0f00