06-03-2015 10:52 AM
We installed a webdispatcher and got a security test on the project.
The analyst came back with the remark that the servername is being exposed in the header.
Now I looked it up in the Webdispatcher parameters, but there the parameter is set to FALSE:
is/HTTP/show_server_header false
So according to the SAP documentation (note1616535) if this is set to false:
When you change this, the "Server:" header field is no longer set in HTTP responses.
But still we get the info from the PI server.
Does it also need to be set in the ICM parameters on the PI side? There the parameter is set to 1
Although security marked it as Low it is still a possibility for "Malicious users can use this information for attacks."
06-03-2015 4:40 PM
Hi Christian,
Hope you are doing good.
Nice to hear from you again.
The SAP version was not mentioned.
Please also see the notes 1329326 and note 2045861; you need to be on the SP and the kernel level mentioned.
Hope this helps.
_ _ _ _ _ _ _ _ _
Kind Regards,
Hemanth
SAP AGS
_ _ _ _ _ _ _ _ _
06-03-2015 4:40 PM
Hi Christian,
Hope you are doing good.
Nice to hear from you again.
The SAP version was not mentioned.
Please also see the notes 1329326 and note 2045861; you need to be on the SP and the kernel level mentioned.
Hope this helps.
_ _ _ _ _ _ _ _ _
Kind Regards,
Hemanth
SAP AGS
_ _ _ _ _ _ _ _ _
06-04-2015 9:46 AM
Hi Hemanth
Here all is fine (sunny finally outside)
My SAP webdispatcher is version 742, patch 27 and running on a server in the DMZ.
The PI version is: 7.11 sp13 with kernel 7.21
I think the PI is still sending its serverheader although the parameter on the webdispatcher is set to FALSE as on the PI it has neiter False nor TRUE but a 1.
Looking at the both notes you provided and the one 1616535 I gave in the message I am going to test it with the ICM value on the PI server set to FALSE.
06-04-2015 10:32 AM