CA SSO : SPS Hardening Security : Supress Server Headers

Idea created by Hubert Dennis Employee on Mar 8, 2016
    Under review
    Score10

    One of our customer requirements is to harden the Secure Proxy Server to not send added information to the Browser which acts as an enabler identifying key information about the server underneath. Exposing this information makes the Server susceptible to attacks by malicious users who are ready to exploit any loops in that particular variant.

     

    Currently CA Secure Proxy Server exposes the following info as response.

     

    When accessing resources via Proxy Server

    Server : Apache/2.4.12 (Unix) OpenSSL/1.0.1o-fips mod_jk/1.2.40

     

    When accessing ProxyUI

    Server : Apache-Coyote/1.1

     

    Now by adding, these 2 sections in httpd.conf we were able to get Apache to a minimal, however not complete. Some older versions of Apache supported "ServerTokens None" which did the trick.

     

    LoadModule headers_module modules/mod_headers.so

     

    <IfModule mod_headers.c>

    ServerTokens Prod

    ServerSignature Off

    Header unset Server

    Header always unset Server

    Header unset X-Powered-By

    Header always unset X-Powered-By

    </IfModule>

     

     

    Therefore now we get

     

    When accessing resources via Secure Proxy Server

    Server : Apache

     

    When accessing ProxyUI

    Server : Apache-Coyote/1.1

     

     

    After reading through google searches, it is clear that Apache developer did not want to obscure this information using their mantra of "The idea of security through obscurity is a myth and leads to a false sense of safety". core - Apache HTTP Server Version 2.4

    However what we focus on is making it that much little bit harder to break our fences & rely not purely on obscurity for security. We just harden it at every possible layer.

     

    Apache HTTP Server - Users - header unset server does not work

    https://emptyhammock.com/media/downloads/mod_remove_server_header.c

     

     

    Bottemline, for now customer would need to configure the load balancer to strip it off. Ideally OOB the product should do this for all type of requests i.e. pages served off SecureProxy (both apache and tomcat) and proxied requests / response. Additionally have a switch to enable / disable (disabled by default).

     

     

     

    Regards

     

    Hubert