IBM Support

Disabling ETag headers in IBM HTTP Server

Technote (troubleshooting)


Problem(Abstract)

After a security scan was run on the system, the vulnerability report showed Etags were being used in the response headers.

Symptom

.


Diagnosing the problem

An IP trace on the IBM HTTP Server showed Etags were being displayed in the response header.

HTTP/1.1 200 OK
Date: Wed, 24 Aug 2011 16:53:55 GMT
Server: IBM_HTTP_Server
Last-Modified: Wed, 03 Nov 2010 22:02:14 GMT

ETag: "11e2-c90-4942d31a24580"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 3216
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html


Resolving the problem

There are two ways to remove the ETags in the httpd.conf file:

  1. Using 'FileETag None' will cause no ETag field to be included in the response if the document is file-based.

    Edit the httpd.conf file and add the following lines:

    FileETag None

  2. To only omit the Inode from the ETag, this can be done with the following syntax:

    FileETag MTime Size

Verify that LoadModule headers_module modules/mod_headers.so is commented out in the httpd.conf file.

Save the changes in the httpd.conf and restart IBM HTTP Server for the changes to take affect.

Documentation reference for FileETag:
http://publib.boulder.ibm.com/httpserv/manual70/mod/core.html#fileetag

Note: It is advised to consult with the security scan vendor to determine how to get the scanner to stop reporting this CVE as a vulnerability if configuring FileETag for the HTTP Server does not do so.

Document information

More support for: IBM HTTP Server
Base Server

Software version: 6.0, 6.1, 7.0, 8.0, 8.5, 8.5.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1566450

Modified date: 15 December 2011


Translate this page: