Web server and/or operating system information will be protected.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6724 | WG520 | SV-6938r4_rule | ECSC-1 | Low |
| Description |
|---|
| The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information included in this response can be web server type and version, operating system and version, and ports associated with the web server. This provides the malicious user valuable information without the use of extensive tools. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29517r1_chk ) |
|---|
| Query the SA or the web administrator regarding the publishing of the web server information or operating system information. The SA should be able to show that the web server is configured to not display information about the web server which would include, web server product, version, or host operating system of the web server. The reviewer will need to use a tool to examine the HTTP header contents. Tools that can perform this function include HTTP Debugger Proxies or HTTP Header viewers. The use of any of these tools needs to be approved by your local IAM/IAO before being used. If the web server information or operating system information is sent to the client via the server response header, this is a finding. |
| Fix Text (F-26581r1_fix) |
|---|
| Ensure the web server is configured to not advertise the web server and operating system information to the client. |