1

I understand that a header like X-Powered-By can reveal details about the operating environment that can be used to find known vulnerabilities because you often get the language and compiler/interpreter/operating environment versions.

With a "don't give them more than necessary" mindset, I assume that headers that give you a language class like PHPSESSION or JSESSIONID should be replaced with custom alternatives, so that a potential has less details to go with to narrow down the scope of his probing...

As it is mentioned on OWASPs website:

NOTE: Remember that attackers have other means of fingerprinting your tech stack.

I am aware that the difference between X-Powered-By: PHP/5.3.2 and PHPSESSION is the same as "1992 Toyota Corolla" and "a Toyota" - The X-Powered-By header is very exact. Of course you may be able to fingerprint based on the app (e.g. Wordpress is easily identified).

Would it make sense to remove all such identifying headers in addition to the X-Powered-By headers?

The scope is for bespoke applications, since sites and applications building on clear frameworks like wordpress are harder to "anonymize" in my opinion.

Improve this question

1 Answer 1

Reset to default
1

The benefit of renaming such HTTP headers is very small in terms of security. As the OWASP correctly points out, an attacker can use all kinds of fingerprinting techniques and doesn't have to rely on the server to explicitly announce the technologies used in the backend. Some languages like PHP also leave traces all over the place, e. g. in the file extension of URLs or in error messages.

So I wouldn't spend time on removing this information. It creates a false sense of security, and there are far more useful measures you can take (like hardening the webserver and the applications which are running).

The only thing I would consider reasonable is to turn off those Powered-By headers and prevent the webserver from blurting out its exact version on error pages, simply because this is completely irrelevant for users.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .