Web server security considerations
Be aware of the following security considerations for your web server and take the recommended actions to minimize any security exposure.
- Follow the security bulletins of your web server to ensure that you are aware of any potential issues that are considered to be security vulnerabilities. IBM security bulletins provide security risk assessment information to help you assess if a particular issue might impact your organization.
- Disable weak SSL protocols. For example, SSLv2 and SSLv3.
- Disable weak SSL ciphers. For example, RC4.
- Recommended: Use TLSv1.2 with an AEAD cipher suite to maximize transport layer security and
mitigate a potential POODLE attack.Note: Older web browsers might not support TLSv1.2 by default. Ensure that you use a protocol that enables you to be secure, while still allowing customers to access your site.
- Set up exception handling and disable standard web server behaviors to block requests that are
designed to probe your web server. These requests can reveal information about the underlying
technology and directory structure of your site.
- All 4xx status codes should redirect to a generic error page. For custom error handling, see WebSphere customized error pages.
- By default, most web servers identify themselves in each HTTP response. This information includes the web server software name and version. To disable this behavior on IBM HTTP Server, see AddServerHeader Directive.
- Prevent host header injection by implementing
RewriteRules
to allow known hosts only. For more information, see Blocking unrecognized hostnames.For example,RewriteEngine ON RewriteCond %{HTTP_HOST} !=www.mycompanyname.com RewriteCond %{HTTP_HOST} !=mycompanyname.com ... RewriteRule .* - [F]