Web server security considerations

Be aware of the following security considerations for your web server and take the recommended actions to minimize any security exposure.

  • Follow the security bulletins of your web server to ensure that you are aware of any potential issues that are considered to be security vulnerabilities. IBM security bulletins provide security risk assessment information to help you assess if a particular issue might impact your organization.
  • Disable weak SSL protocols. For example, SSLv2 and SSLv3.
  • Disable weak SSL ciphers. For example, RC4.
  • Use TLSv1.2 with an AEAD cipher suite to maximize transport layer security and mitigate a potential POODLE attack. For information on how to enforce the use of TLSv1.2 with WebSphere Commerce, see Enforcing TLS Version 1.2.
    Note: Older web browsers might not support TLSv1.2 by default. Ensure that you use a protocol that allows your site to be secure, while still allowing customers access.
  • Set up exception handling and disable standard web server behaviors to block requests that are designed to probe your web server. These requests can reveal information about the underlying technology and directory structure of your site.
    • All 4xx status codes should redirect to a generic error page. For custom error handling, see HCL customized error pages.
    • By default, most web servers identify themselves in each HTTP response. This information includes the web server software name and version. To disable this behavior on IBM HTTP Server, see AddServerHeader Directive.
  • Prevent host header injection by implementing RewriteRules to allow known hosts only. For more information, see Blocking unrecognized hostnames.
    For example,
    RewriteEngine ON
    RewriteCond %{HTTP_HOST} !=www.mycompanyname.com
    RewriteCond %{HTTP_HOST} !=mycompanyname.com
    RewriteRule .* - [F]