Web server security considerations

Be aware of the following security considerations for your web server and take the recommended actions to minimize any security exposure.

  • Follow the security bulletins of your web server to ensure that you are aware of any potential issues that are considered to be security vulnerabilities. IBM security bulletins provide security risk assessment information to help you assess if a particular issue might impact your organization.
  • Disable weak SSL protocols. For example, SSLv2 and SSLv3.
  • Disable weak SSL ciphers. For example, RC4.
  • Recommended: Use TLSv1.2 with an AEAD cipher suite to maximize transport layer security and mitigate a potential POODLE attack.
    Note: Older web browsers might not support TLSv1.2 by default. Ensure that you use a protocol that enables you to be secure, while still allowing customers to access your site.
  • Set up exception handling and disable standard web server behaviors to block requests that are designed to probe your web server. These requests can reveal information about the underlying technology and directory structure of your site.
    • All 4xx status codes should redirect to a generic error page. For custom error handling, see WebSphere customized error pages.
    • By default, most web servers identify themselves in each HTTP response. This information includes the web server software name and version. To disable this behavior on IBM HTTP Server, see AddServerHeader Directive.
  • Prevent host header injection by implementing RewriteRules to allow known hosts only. For more information, see Blocking unrecognized hostnames.
    For example,
    RewriteEngine ON
    RewriteCond %{HTTP_HOST} !=www.mycompanyname.com
    RewriteCond %{HTTP_HOST} !=mycompanyname.com
    RewriteRule .* - [F]