Friday, February 3, 2012

Securing webserver 404/403 requests from fingerprinting

As a part of improving the security on a eCommerce site, it is always a good idea to turn off fingerprinting.

How to reproduce this: Go to any static asset on the site and change it to wrong file name and you will see a 404 or even 403 errors. It would print all the information regarding the web server, which could be potentially exploited.

IBM_HTTP_Server/X.X.X.X-PMX4623 Apache/2.1.97 (Unix) Server at host.com Port 80

In order to protect the site for security reasons, these values need to be changed in httpd.conf to make the environment more secure. Make this change and restart webserver for the change to reflect.

Test Environment:

ServerTokens Full

Production Env:
           
ServerTokens Prod


Test Environment:

ServerSignature On

Prod Environment:

ServerSignature Off


4 comments:

  1. Hi Raj Sanghvi,
    The information you are putting here is very useful.Simple and good examples whch are easy to understand.Could you please also upload some information related to Contracts?their purpose and benefits.creating them etc?

    Thanks

    ReplyDelete
  2. I am really glad to know, the blog is serving it's purpose. I will soon write something on Contracts.

    ReplyDelete
  3. Hi,
    Very good and nice spelling in the article that may reach every one reading. Better if with the levels may be a statistical images. All the way very good .
    Regards,
    STC Technologies

    ReplyDelete
  4. Nice Info - Sanjiv

    ReplyDelete