Liferay Servers include server banner information with every response it send back. These information can be venerable in respect to security of your website/portal. A sample response header is shown below, look highlighted lines:
Hiding Liferay-Portal Signature/Header/Banner
Liferay provides a portal property to set the level of verbosity of Liferay portal header.
Still we are not able to completely hide this information. Although there is a strange solution available without any coding. Add below property in portal-ext.properties to hide Liferay-Portal header.
Updating Server Signature/Banner in Tomcat
To update server header in tomcat go to server.xml file at CATALINA_HOME/conf/server.xml
Add/Update Server attribute in <Connector> element as below,
This change will hide actual server information and update the response headed as below
Refer this article, Securing Tomcat by OWASP if you are seriously interested to make your tomcat server secure.
Hiding Server Signature/Banner in Apache
To hide Apache server signature/banner go to Apache configuration file, usually Apache_Server_Home/apache2.conf
Set ServerSignature and ServerTokens properties for disabling server signature/banner as below:
Date: Tue, 29 Jan 2013 11:02:43 GMT Content-Encoding: gzip Server: Apache/2.2.3 (Red Hat) ETag: "1a467a7a" Liferay-Portal: Liferay Portal Enterprise Edition 6.1.20 EE (Paton / Build 6120 / July 31, 2012) Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: Keep-Alive Content-Length: 9105These information can be hidden on changed with very basic configurations in servers and portal.
Hiding Liferay-Portal Signature/Header/Banner
Liferay provides a portal property to set the level of verbosity of Liferay portal header.
//Full, provide full information including version information (Liferay Portal Enterprise Edition 6.1.20 EE) http.header.version.verbosity=full OR //Partial, provide only name of the server (Liferay Portal Enterprise Edition) http.header.version.verbosity=partial
Still we are not able to completely hide this information. Although there is a strange solution available without any coding. Add below property in portal-ext.properties to hide Liferay-Portal header.
// For Community edition http.header.version.verbosity=Liferay Portal Community Edition OR //For Enterprise Edition http.header.version.verbosity=Liferay Portal Enterprise Edition
Updating Server Signature/Banner in Tomcat
To update server header in tomcat go to server.xml file at CATALINA_HOME/conf/server.xml
Add/Update Server attribute in <Connector> element as below,
<Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" server="Technical Annex" />
This change will hide actual server information and update the response headed as below
Date: Tue, 29 Jan 2013 11:02:43 GMT Content-Encoding: gzip Server: Technical Annex ETag: "1a467a7a" Liferay-Portal: Liferay Portal Enterprise Edition 6.1.20 EE (Paton / Build 6120 / July 31, 2012) Vary: Accept-Encoding Content-Type: text/html;charset=UTF-8 Connection: Keep-Alive Content-Length: 9105
Refer this article, Securing Tomcat by OWASP if you are seriously interested to make your tomcat server secure.
Hiding Server Signature/Banner in Apache
To hide Apache server signature/banner go to Apache configuration file, usually Apache_Server_Home/apache2.conf
Set ServerSignature and ServerTokens properties for disabling server signature/banner as below:
ServerSignature Off ServerTokens ProductOnly
Comments
Post a Comment
Is this content helpful? Leave appreciation, feedback, suggestions, issues anything.