IBM Support

Disabling ETag headers in IBM HTTP Server

Technote (troubleshooting)


After a security scan was run on the system, the vulnerability report showed Etags were being used in the response headers.



Diagnosing the problem

An IP trace on the IBM HTTP Server showed Etags were being displayed in the response header.

HTTP/1.1 200 OK
Date: Wed, 24 Aug 2011 16:53:55 GMT
Server: IBM_HTTP_Server
Last-Modified: Wed, 03 Nov 2010 22:02:14 GMT

ETag: "11e2-c90-4942d31a24580"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 3216
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html

Resolving the problem

There are two ways to remove the ETags in the httpd.conf file:

  1. Using 'FileETag None' will cause no ETag field to be included in the response if the document is file-based.

    Edit the httpd.conf file and add the following lines:

    FileETag None

  2. To only omit the Inode from the ETag, this can be done with the following syntax:

    FileETag MTime Size

Verify that LoadModule headers_module modules/ is commented out in the httpd.conf file.

Save the changes in the httpd.conf and restart IBM HTTP Server for the changes to take affect.

Documentation reference for FileETag:

Note: It is advised to consult with the security scan vendor to determine how to get the scanner to stop reporting this CVE as a vulnerability if configuring FileETag for the HTTP Server does not do so.

Document information

More support for: IBM HTTP Server
Base Server

Software version: 7.0, 8.0, 8.5, 8.5.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1566450

Modified date: 15 December 2011

Translate this page: