The A10 Networks ADC, when used to load balance web applications, must strip HTTP response headers.

An XCCDF Rule

Description

<VulnDiscussion>Providing too much information in error messages risks compromising the data and security of the application and system. HTTP response headers can disclose vulnerabilities about a web server. This information can be used by an attacker. The A10 Networks ADC can filter response headers; this removes the web server’s identifying headers in outgoing responses (such as Server, X-Powered-By, and X-AspNet-Version).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-237040r639567_rule
Severity: Medium
References: CCI-001312
Updated: about 1 year ago

If the device is used to load balance web servers, configure the device to strip HTTP response headers.

The following command configures a WAF template and includes the option to strip HTTP response headers:
slb template waf
filter-resp-hdrs

The A10 Networks ADC, when used to load balance web applications, must strip HTTP response headers.

Description

Remediation - Manual Procedure