Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Server header being shown although set to FALSE

Former Member
0 Kudos

We installed a webdispatcher and got a security test on the project.

The analyst came back with the remark that the servername is being exposed in the header.

Now I looked it up in the Webdispatcher parameters, but there the parameter is set to FALSE:

is/HTTP/show_server_header         false

So according to the SAP documentation (note1616535) if this is set to false:

When you change this, the "Server:" header field is no longer set in HTTP responses.

But still we get the info from the PI server.

Does it also need to be set in the ICM parameters on the PI side? There the parameter is set to 1

Although security marked it as Low it is still a possibility for "Malicious users can use this information for attacks."

1 ACCEPTED SOLUTION

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Christian,
 

Hope you are doing good.

Nice to hear from you again.
The SAP version was not mentioned.
Please also see the notes 1329326 and note 2045861; you need to be on the SP and the kernel level mentioned.

   

Hope this helps.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth
SAP AGS
_ _ _ _ _ _ _ _ _
 

3 REPLIES 3

hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Christian,
 

Hope you are doing good.

Nice to hear from you again.
The SAP version was not mentioned.
Please also see the notes 1329326 and note 2045861; you need to be on the SP and the kernel level mentioned.

   

Hope this helps.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth
SAP AGS
_ _ _ _ _ _ _ _ _
 

Former Member
0 Kudos

Hi Hemanth

Here all is fine (sunny finally outside)

My SAP webdispatcher is version 742, patch 27 and running on a server in the DMZ.

The PI version is: 7.11 sp13 with kernel 7.21

I think the PI is still sending its serverheader although the parameter on the webdispatcher is set to FALSE as on the PI it has neiter False nor TRUE but a 1.

Looking at the both notes you provided and the one 1616535 I gave in the message I am going to test it with the ICM value on the PI server set to FALSE.


hemanth2
Product and Topic Expert
Product and Topic Expert
0 Kudos

Great Christian, do let us know how it goes .

Kind Regards,

Hemanth