[Security] HTTP Via header contains internal hostname or IP address

Modified on: Thu, 23 Jan, 2020 at 2:27 AM

Operations Automation

Symptoms

An internal IP address is shown in HTTP Via header when opening the link of provider or reseller brand https://cp.domain.tld/aps/2/resources/.

The IP address or internal hostname obtained from the header allows an attacker to obtain technical information, which could be potentially used as a platform for further attacks.

Cause

Such behavior will be fixed in future in scope of the request APS-35995: Consider removal of "Via" Header in APS response, as it's claimed as insecure.

Resolution

Please contact your TAM or PTA to trace the status of APS-35995. For now the following workaround can be used to prevent the issue:

Check if headers_module is loaded:
```
# httpd -M | grep headers_module
```
If not - include it into /etc/httpd/conf/httpd.conf (in case of NG hosting) or in /usr/local/pem/etc/apache/httpd.conf_pem (in case of Legacy Shared Hosting):
```
LoadModule headers_module modules/mod_headers.so
```

Disable header in httpd.conf:

<IfModule mod_headers.c>
Header unset Via
</IfModule>

restart httpd service to apply changes:

a. in case of NG hosting:
```
    # service httpd restart
```
b. in case of Legacy Shared Hosting:
```
    # service pemhttpd restart
```

Internal content

Did you find it helpful? Yes No