Disabling ETag headers in IBM HTTP Server
After a security scan was run on the system, the vulnerability report showed Etags were being used in the response headers.
Diagnosing the problem
An IP trace on the IBM HTTP Server showed Etags were being displayed in the response header.
HTTP/1.1 200 OK
Date: Wed, 24 Aug 2011 16:53:55 GMT
Last-Modified: Wed, 03 Nov 2010 22:02:14 GMT
Keep-Alive: timeout=10, max=100
Resolving the problem
There are two ways to remove the ETags in the httpd.conf file:
- Using 'FileETag None' will cause no ETag field to be included in the response if the document is file-based.
Edit the httpd.conf file and add the following lines:
- To only omit the Inode from the ETag, this can be done with the following syntax:
FileETag MTime Size
Verify that LoadModule headers_module modules/mod_headers.so is commented out in the httpd.conf file.
Save the changes in the httpd.conf and restart IBM HTTP Server for the changes to take affect.
Documentation reference for FileETag:
Note: It is advised to consult with the security scan vendor to determine how to get the scanner to stop reporting this CVE as a vulnerability if configuring FileETag for the HTTP Server does not do so.
More support for:
IBM HTTP Server
Software version: 7.0, 8.0, 8.5, 8.5.5
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Reference #: 1566450
Modified date: 15 December 2011
Translate this page: