PM77980: IBM HTTP SERVER SHOULD NOT ADD THE SERVER: HEADER BY DEFAULT

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • IBM HTTP Server V7 and later have an option to disable
    generating the Server: HTTP response header, but suppressing
    the header should be the default behavior per current security
    guidelines.  Note that very little practically useful
    information is included in the Server: header by default
    ("IBM_HTTP_Server" with no version or release info).
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server (IHS) V7.0 and     *
    *                  later that have not configured              *
    *                  "AddServerHeader OFF".                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: IHS adds the "Server" header with a     *
    *                      value of "IBM_HTTP_Server"  to all      *
    *                      responses, unless "AddServerHeader OFF" *
    *                      is configured.                          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    IHS 7.0 and later allows administrators to suppress the "Server"
    HTTP response header, but it requires explicit configuration.
    It
    was determined that adding this info should instead be opt-in.
    

Problem conclusion

  • When no AddServerHeader directive is configured, IHS now
    defaults to "AddServerHeader OFF" behavior.
    
    This fix is targeted for IBM HTTP Server fixpacks:
     - 7.0.0.29
     - 8.0.0.6
     - 8.5.0.2
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM77980

  • Reported component name

    IBM HTTP SERVER

  • Reported component ID

    5724J0801

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-28

  • Closed date

    2012-12-03

  • Last modified date

    2013-03-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM HTTP Server
Runtime

Software version:

7.0

Reference #:

PM77980

Modified date:

2013-03-01

Translate my page

Machine Translation

Content navigation