WebLogic / JCS X-Powered-By Header and Penetration Tests

The following applies to WebLogic 11 / 12c and JCS the same way and can be important when you try to harden your WebLogic installation.

The X-Powered-By Header

WebLogic responds with an additional

X-Powered-By: Servlet/2.5 JSP/2.1

HTTP header to web requests. This is according to the Servlet 2.4 spec. However, sometimes it is desirable to expose as little information as possible and quite often the default behavior gets you a critical remark when a penetration test is done.

How to Disable

You can disable this behavior (and suppress the header completely) with the following MBean setting:

X-Powered-By Header WebLogic Server uses the X-Powered-By HTTP header, as recommended by the Servlet 2.4 specification, to publish its implementation information.

Following are the options:

  • “NONE”: X-Powered-By header will not be sent
  • “SHORT” (default): “Servlet/2.4 JSP/2.0”
  • “MEDIUM”: “Servlet/2.4 JSP/2.0 (WebLogic/9.1)”
  • “FULL”: “Servlet/2.4 JSP/1.2 (WebLogic/9.1 JDK/1.4.1_05)”

MBean Attribute:
WebAppContainerMBean.XPoweredByHeaderLevel

For details, check the documentation.

 

Speak Your Mind

*