Search Engine: Elastic

Article ID: 128893, created on May 29, 2016, last review on May 29, 2016

  • Applies to:
  • Operations Automation


An internal IP address is shown in HTTP Via header when opening the link of provider or reseller brand https://cp.domain.tld/aps/2/resources/.

The IP address or internal hostname obtained from the header allows an attacker to obtain technical information, which could be potentially used as a platform for further attacks.


Such behavior will be fixed in future in scope of the request APS-35995: Consider removal of "Via" Header in APS response, as it's claimed as insecure.


Please contact your TAM or PTA to trace the status of APS-35995. For now the following workaround can be used to prevent the issue:

  1. Check if headers_module is loaded:

    # httpd -M | grep headers_module
  2. If not - include it into /etc/httpd/conf/httpd.conf (in case of NG hosting) or in /usr/local/pem/etc/apache/httpd.conf_pem (in case of Legacy Shared Hosting):

    LoadModule headers_module modules/
  3. Disable header in httpd.conf:

    <IfModule mod_headers.c>
    Header unset Via
  4. restart httpd service to apply changes:

    a. in case of NG hosting:

        # service httpd restart

    b. in case of Legacy Shared Hosting:

        # service pemhttpd restart

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF