Hidding Server Signature/Banner Information of Liferay Server

Liferay Servers include server banner information with every response it send back. These information can be venerable in respect to security of your website/portal. A sample response header is shown below, look highlighted lines:

Date: Tue, 29 Jan 2013 11:02:43 GMT
Content-Encoding: gzip
Server: Apache/2.2.3 (Red Hat)
ETag: "1a467a7a"
Liferay-Portal: Liferay Portal Enterprise Edition 6.1.20 EE (Paton / Build 6120 / July 31, 2012)
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Connection: Keep-Alive
Content-Length: 9105
These information can be hidden on changed with very basic configurations in servers and portal.

Hiding Liferay-Portal Signature/Header/Banner

Liferay provides a portal property to set the level of verbosity of Liferay portal header.

//Full, provide full information including version information (Liferay Portal Enterprise Edition 6.1.20 EE) 
http.header.version.verbosity=full

OR

//Partial, provide only name of the server (Liferay Portal Enterprise Edition) 
http.header.version.verbosity=partial

Still we are not able to completely hide this information. Although there is a strange solution available without any coding. Add below property in portal-ext.properties to hide Liferay-Portal header.
// For Community edition
http.header.version.verbosity=Liferay Portal Community Edition

 OR

//For Enterprise Edition
http.header.version.verbosity=Liferay Portal Enterprise Edition

Updating Server Signature/Banner in Tomcat

To update server header in tomcat go to server.xml file at CATALINA_HOME/conf/server.xml

Add/Update Server attribute in <Connector> element as below,
<Connector 
  URIEncoding="UTF-8" 
  connectionTimeout="20000" 
  port="8080" 
  protocol="HTTP/1.1" 
  redirectPort="8443" 
  server="Technical Annex"
 />

This change will hide actual server information and update the response headed as below
Date: Tue, 29 Jan 2013 11:02:43 GMT
Content-Encoding: gzip
Server: Technical Annex
ETag: "1a467a7a"
Liferay-Portal: Liferay Portal Enterprise Edition 6.1.20 EE (Paton / Build 6120 / July 31, 2012)
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8
Connection: Keep-Alive
Content-Length: 9105

Refer this article, Securing Tomcat by OWASP if you are seriously interested to make your tomcat server secure.

Hiding Server Signature/Banner in Apache

To hide Apache server signature/banner go to Apache configuration file, usually Apache_Server_Home/apache2.conf

Set ServerSignature and ServerTokens properties for disabling server signature/banner as below:
ServerSignature Off
ServerTokens ProductOnly

Please do not print this unless its really needed. Recycle Paper and perform your role to save environment.
Is this content useful? leave appreciation or feedback, suggestions, issues as comments.

No comments:

Post a Comment

Is this content helpful? Leave appreciation, feedback, suggestions, issues anything.