Skip to Content
avatar image
Former Member

Server header being shown although set to FALSE

We installed a webdispatcher and got a security test on the project.

The analyst came back with the remark that the servername is being exposed in the header.

Now I looked it up in the Webdispatcher parameters, but there the parameter is set to FALSE:

is/HTTP/show_server_header false

So according to the SAP documentation (note1616535) if this is set to false:

When you change this, the "Server:" header field is no longer set in HTTP responses.

But still we get the info from the PI server.

Does it also need to be set in the ICM parameters on the PI side? There the parameter is set to 1

Although security marked it as Low it is still a possibility for "Malicious users can use this information for attacks."

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Best Answer
    Jun 03, 2015 at 03:40 PM

    Hi Christian,

    Hope you are doing good.

    Nice to hear from you again.
    The SAP version was not mentioned.
    Please also see the notes 1329326 and note 2045861; you need to be on the SP and the kernel level mentioned.

    Hope this helps.

    _ _ _ _ _ _ _ _ _

    Kind Regards,

    Hemanth
    SAP AGS
    _ _ _ _ _ _ _ _ _

    Add comment
    10|10000 characters needed characters exceeded