Re: response header fields

[Federico Maggi <federico.maggi () gmail com>]

Anyways,
    suppressing headers is of no help to improve security.  
Fingerprinting is always feasible with good accuracy.

-- Fede

On 12/ago/2009, at 17.30, Edjenguele <christian.edjenguele () owasp org>  
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi as I know, suppressing Apache headers informations could be done by
> two way
> 1) patch Apache and recompile the source code, probably the best way
> 2) modify/wrap response from java code using a servlet.
>
> Andre Rodrigues wrote:
> > Hi,
> >
> > Can you tell me what response headers do I need to suppress in  
> > order to improve security?
> >
> > Response headers example:
> >
> > Server:      Apache-Coyote
> > x-powered-by: <My server information>
> >
> >
> > I think the above headers inform too much, so I will remove them.
> >
> > Am I paranoid, or is it a good practice?
> >
> >
> >
> > Thanks,
> > André
> >
> >
> >
> >
> >
> > --- 
> > ---------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs  
> > an SSL certificate.  We look at how SSL works, how it benefits your  
> > company and how your customers can tell if a site is secure. You  
> > will find out how to test, purchase, install and use a thawte  
> > Digital Certificate on your Apache web server. Throughout, best  
> > practices for set-up are highlighted to help you ensure efficient  
> > ongoing management of your encryption keys and digital certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > --- 
> > ---------------------------------------------------------------------
>
>
> - --
> Christian Eric Edjenguele
> IT Security Engineer
> PGP KeyID: 0xB1654498
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJKguAiAAoJENETScWxZUSYwhUH+gOKw5fOh54N7/lyR91KBMEN
> 26vYQyzDKhr3jV6XR7nUabqd27rYFOAzp/D8ZH3ZTRs72nN5TSz+4ge7Qj350GhJ
> OmL78pKFocCXJ8yN2hpLgwsIA2UUpitTXVt44uRgyyEv/xv1ii97qGU7UTkGR/J4
> H/HM4q6u14DFJeAn3Ah11296BlEwU7ImLnmMt/Wh4VM3NJXd9vfdFkxMpVdgtoKF
> rUsUbsJ2Z7ywH1pEuhg4WXSgsyuFw3XwgJ6xErY2f0xvcDaqS9JtlRmMwRQvTqRS
> 00sYsgfURU9TwIgHyXa07fvvwGd54D9mfYfQpGY/vGM1STJKxT9q3oKxUIfnxCE=
> =pTLo
> -----END PGP SIGNATURE-----
>
> --- 
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> --- 
> ---------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------