Mask Your Web Server for Enhanced Security
page 3 of 14
by Joe Lima
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 54543/ 60

The Server Header Tells All
Most Web servers politely identify themselves and the OS to anyone who asks. Using a network query tool like Sam Spade or this Header Check, you can discern the HTTP Server header. Just request a Web site's home page and examine the resulting HTTP headers or "banners" sent back by the server. Among them, you will likely find something like this:

Server: Microsoft-IIS/5.0

There is not much mystery here. Apache's default settings make it no less identifiable:

Server: Apache/2.0.41-dev (UNIX)

You can remove or obscure this HTTP Server header in a variety of ways, depending on your platform. Apache users can use the module mod_headers. IIS users can install IISLockDown and use the configuration option in URLScan's INI file for removing or replacing the header. Be careful with URLScan if you are using Cold Fusion -- the way the current version replaces the Server header wreaks havoc with CFM pages. In fact, removing the header is the way to go when using URLScan, since if you try replacing the header it moves to the bottom of the header order -- which pretty much gives away that you are running URLScan on IIS.

View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024  |  Page Processed at 2024-04-18 4:25:42 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search