3.8 - Http banner reveals server information - Send Server Header

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By default, when an instance of WebLogic Server responds to an HTTP request, its HTTP response header includes the server's name and WebLogic Server version number.This poses a potential security risk if an attacker knows about vulnerability in the specific version of WebLogic Server.

An attacker can enumerate the server make, version and technology used from the http banner. This information can be useful to an adversary to refine further attacks.

Solution

1. Open Administration Console, click Lock & Edit.
2. In the left pane select Environment > Servers > Nameof the server > Protocols > HTTP
3. Disable Send Server Header parameter
4. In the Administration Console, click on the domain name > Configuration > Web Applications
5. From the drop-down list, select value of X-Powered-By Header as 'X-Powered-By header will not be sent'

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30(5)

Plugin: Unix

Control ID: 3809942722100e8fb97058348ea4443abd57e8065c2fed89e085b8a3614b440e