Removing Server HTTP header
Article ID: CTX547180
Updated On:
Description
Removing Server HTTP header
- Open the ADC via GUI and navigate to AppExpert > Rewrite > Action
- Give it the name “action_remove_server_header”, type “DELETE_HTTP_HEADER”, type Server and click Create
- Navigate to Rewrite > Policies and click Add
- Give it the name “policy_remove_server_header”, select “action_remove_server_header” from the Action drop-down list box, and then type HTTP.RES.IS_VALID in the Expression field and click Create
NOTE: HTTP.RES.IS_VALID means that, if any HTTP response is a valid HTTP response, then evaluate it
- This policy will be bound GLOBALLY for example and not at a Virtual Server for practice purposes only.
GLOBALLY means that ALL the HTTP responses received from the back-end servers will be evaluated.
While still in the Rewrite Policies pane, click Policy Manager at the top of the screen.
You can also bind to the vserver directly
- On the Bind Point screen, select “Override Global” under “Bind Point”, Protocol HTTP and Response from the “Connection Type” drop-down list box and click Continue.
- Under Policy Binding, click the drop-down “click to select” to select a policy to bind
- Select “policy_remove_server_header” and click Select
- Click Bind
- Click Done
- Click Save
Note you can bind to the vServer directly.
Issue/Introduction
How to remove header data from the back-end server using the rewrite feature.
In the below example, the Server Apache version and Linux dist are visible.
This is not recommended as an attacker can explore possible vulnerabilities in the version exposed.
Was this article helpful?
Yes
No
Powered by
