Server header being shown although set to FALSE
We installed a webdispatcher and got a security test on the project.
The analyst came back with the remark that the servername is being exposed in the header.
Now I looked it up in the Webdispatcher parameters, but there the parameter is set to FALSE:
So according to the SAP documentation (note1616535) if this is set to false:
When you change this, the "Server:" header field is no longer set in HTTP responses.
But still we get the info from the PI server.
Does it also need to be set in the ICM parameters on the PI side? There the parameter is set to 1
Although security marked it as Low it is still a possibility for "Malicious users can use this information for attacks."