PH04673: REMOVE HTTP HEADER X-PAD

8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

APAR status

• Closed as program error.

Error description

• Under some conditions, IHS up to v 8.5.x can sent the following
  http header : X-pad
  This can be used to guess the version of IHS.
  

Local fix

• Upgrade to IHS v9.x
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:  Users of IBM HTTP Server                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: IHS sometimes sends "x-pad" header.     *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The x-pad header is used to work around an ancient Mozilla
  bug. The workaround has not been required for many years, and
  some scanners consider the header to be a fingerprinting
  mechanism.
  

Problem conclusion

• Code was added to allow the header to be
  suppressed. It is enabled with
  'SuppressXPadHeader ON'.
  
  This header is not generated by IHS 9.0.
  
  The fix for this APAR is expected to be included in IHS
  8.5.5.15 and later.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  IBM HTTP SERVER

• Fixed component ID

  5724J0801

Applicable component levels

• R850 PSY

     UP