Best PracticePenetration TestingRemediation

How to Remediate HTTP Response Header Information Disclosure

March 26, 2024 by Lucid Security

Lucid Security Engineers regularly encounter HTTP headers during web application or network penetration testing that reveal potentially sensitive information such as application architecture, server versions, or information about the underlying host system. These types of information disclosure vulnerabilities can be utilized by attackers to quickly determine vulnerable server versions and perform more targeted attacks. As a developer, system administrator, or IT manager you probably find these types of findings frustrating! Here’s how to remediate “HTTP Response Header Information Disclosure”:

Nginx

To remove the “Server” or “X-Powered-By” headers for a Nginx server, implement the following:

  • In the nginx.conf file, set:
    “server_tokens off”
  • In the case of a load balancer, remove the “Server” header from responses
  • To completely remove the “Server” header, compile Nginx with the Headers More module and add:
    “more_clear_headers ‘Server’;”

References

https://serverfault.com/questions/214242/can-i-hide-all-server-os-info

https://github.com/openresty/headers-more-nginx-module#readme

Apache

Like Nginx, you can either rewrite the “Server” header value or add an additional module to completely remove it:

  • Utilize the URL Rewrite module and configure an outbound rule to change the “Server” header value. This can also be set to a blank value.
  • To completely remove the “Server” header, utilize the StripHeaders module to rewrite all HTTP response headers.

References

http://httpd.apache.org/docs/current/mod/mod_headers.html

IIS

Microsoft IIS makes removing HTTP headers pretty easy, with the notable exception of the “Server” header. Luckily we dug around and found a way to do this on Windows Server 2016, 2019 and newer.

  • Open the web.config file in the root directory of the site, after <system.web> add:
    <httpRuntime enableVersionHeader="false" />
  • To remove the “Server” header (Windows Server 2016/2019), configure requestFiltering in the web.config system.webServer node:

<security>

  <requestFiltering removeServerHeader ="true" />

</security>

References

https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710

https://www.ibm.com/support/pages/disabling-iis-web-banner-and-other-iis-headers

Conclusion

Fixing information disclosure issues can be painful, but we’re here to help. Hopefully this short post on how to remediate HTTP response header information disclosures was helpful. For up to 90 days after a penetration test, Lucid Security offers free retesting of discovered vulnerabilities. Reach out to us and schedule a security assessment today!

AboutLucid Security
What is Nessus?What is Nessus?March 23, 2024
The Blind Spot in Cybersecurity: Overlooking Application Security TestingMarch 29, 2024The Blind Spot in Cybersecurity: Overlooking Application Security Testing

Related Posts