cors

Website optimization and general configuration Part 3: CORS and headers security – policies and hardening

Removing Headers

The next step in hardening your HTTP response headers is looking at the headers that you can remove to reduce the amount of information you’re divulging about your server and what’s running on it. Servers will commonly reveal what software is running on them, what versions of the software are on there and what frameworks are powering it. Reducing the amount of information you divulge is always a benefit. I will look over some of the most common headers but you can always examine your own sites HTTP response headers to see if there are any more than you can remove using SecurityHeaders.io.

Server

The Server header is the most common header you will likely see on a site. The Server response-header field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.

To mask detailed information from the Server header, edit Apache’s /etc/apache2/apache.conf file. Open the file and add the following entries at the end.

ServerTokens ProductOnly
ServerSignature Off

By changing the parameter of ServerTokens, you can mask information in a few levels. Following is possible values for the ServerTokens parameter.

ServerTokens Full (or not specified)
Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

ServerTokens ProductOnly
Apache

ServerTokens Major
Apache/2

ServerTokens Minor
Apache/2.4

ServerTokens Minimal
Apache/2.4.2

ServerTokens OS
Apache/2.4.2 (Unix)

X-Powered-By

The X-Powered-By header gives information on the technology that’s supporting the Web Server. With typical values like ASP.NET or PHP/5.4.0, this is another piece of information that you can remove from public display.

In PHP, all you need to do is edit one line of config and restart PHP.

sudo nano /etc/php5/fpm/php.ini
Locate the following line and change it from this:
expose_php = On
To this:
expose_php = Off

Another option in APAche is to use Header unset X-Powered-By

X-AspNet-Version

The X-AspNet-Version header pretty much just does what it says on the tin. It discloses the specific version of Asp.NET you’re running, so it has to go! Another really easy header to get rid of, it only requires a minor change in your web.config file.

If you have a question or you can share more useful information please comment using the form below.

GOODIES

To ease you implementing the features described in these posts, I have prepared a sample .htaccess file, that you can download and adjust to your needs. At the beginning of the file, there are a few more features not described here, like blocking access to WordPress files (if your site is running on WordPress), deny bad query strings and filter characters, etc.

Do not forget to rename the file from “htaccess.txt” to “.htaccess”!

Leave a Reply