Vulnerability: Server leaks information

Vulnerability Summary:
Server leaks information via X-Powered-By HTTP response header field(s)

Vulnerability Details

The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon, and such components may be subject to vulnerabilities.

Disposition

IBM Control Desk - WebSphere Server (WAS) Configuration

Configuration/Resolution Steps

This security vulnerability is reported by the OWASPZAP Security Scan tool for the IBM Control Desk. If this vulnerability is reported and if any client is concerned that the X-Powered-By flag in the header variable is a security risk, you can disable it. Follow below to remove this security vulnerability in the WAS configuration: If you are using WebSphere®, perform the following steps.
  1. In the WebSphere administration console, navigate to Servers > Server Types > WebSphere application servers > server_name > Web Container Settings > Web Container.
  2. Under Additional Properties select Custom Properties. On the Custom Properties page, click New.
  3. On the Settings page, create a custom property named com.ibm.ws.webcontainer.disablexPoweredBy and set the value to true.
  4. Click Apply or OK.
  5. Click Save on the console taskbar to save your configuration changes.
  6. Restart the server.

Reference

https://www.ibm.com/docs/en/was/9.0.5?topic=configuration-web-container-custom-properties