Masking the web server software in your http header/http server banner (server header obfuscation) is an important layer of security you might want to implement since it can be accomplished so easily on a Netscaler. It’s a layer of security you can add to prevent someone from telling what kind of web server you are running, such as Microsoft IIS or Apache, though it is still quite possible to figure out depending on your environment and application so don’t rely on it too much. The thought is an attacker scans for certain versions of a web server that have known vulnerabilities and begins running attacks for that specific web server software to see if those vulnerabilities have been patched or not. They can do this programmatically so changing the header to say something else is a layer of security that can prevent them from easily figuring out what your web environment infrastructure is like.
You will notice that Chase.com uses “JPMC1.0”:
Amazon.com uses just “Server”:
Google.com uses “gws”:
This can be done very easily using rewrite policies on the Netscaler. Catherine Hampton wrote a great article over at the Citrix Developer Network on how to do this:
http://community.citrix.com/display/ns/Using+Rewrite+to+Improve+Web+Server+Security
And if you want to read more about web server fingerprinting, check Net-square’s website and their httprint tool:
http://www.net-square.com/httprint.html
Saumil Shah at Net-square wrote an excellent and very thorough article on HTTP fingerprinting here:
