I am working with the ATG platform and cannot figure out how to hide or remove the section of the response header "X-ATG-Version: xxxxxxx". I am using JBoss and I have figured out how to remove the "X-powered-by" part of the header but no luck with the ATG part. I am trying to accomplish this for security purposes.
You are not saying which version of ATG you are running or whether you are hosting it behind a WebServer.
In the ATG Documentation it suggests that you can turn off the header in the HeadPipelineServlet using the addingAtgVersionHeader property. You can find the HeadPipelineServlet in the /atg/dynamo/servlet/pipeline/DynamoHandler component. When you do add this property, make sure you add it via the properties file and restart. Changing it in /dyn/admin does not make a difference.
Alternatively you can hide it in your Webserver Configuration. In Apache the following is sufficient:
Header unset X-ATG-Version
And it works reliably.
Related
I am hosting a website using 1and1 (ionos), and it is serving a HTML page with imported CSS and JS. I am trying to figure out how to enable cross origin isolation, but all I can find is that we need to enable certain response headers: https://web.dev/cross-origin-isolation-guide/.
Specifically in these instructions:
What does it mean to set a header on a top-level document? How does one accomplish this? I have done plenty of searching but have not found details on how to create/enable these response headers.
I need to do this in order to use SharedArrayBuffer in Firefox.
Premise
I need a way to remove the X-Frame-Options header from the responses from a few websites before those responses reach my browser.
I am doing this so that I can properly render my custom kiosk webpage, which has iframes that point to websites that don't want to show up in frames.
What I have tried
I have tried setting up a proxy using squid and configuring its reply_header_access option to deny X-Frame-Options headers as the server receives them, but that is for some reason not working as anticipated. I have verified that I am indeed going through the Squid proxy, and I have verified that the X-Frame-Options header persists despite my squid.conf file containing the following:
reply_header_access X-Frame-Options deny all
and having built squid (using Homebrew on my Mac) with the --enable-http-violations option.
Having chased down a lot of what might have gone wrong with this approach, I have decided that the reply_header_access option must not do exactly what I thought it does (modify headers before returning them to the client).
So, I tried using another proxy server. After reading a Stack Overflow question asking about a situation roughly similar to mine, I decided I might try using the node-http-proxy library. However, I have never used Node before, so I got lost pretty quickly and am stuck at a point where I am not sure how to implement the library for my specific purpose.
Question
Using Node seems like a potentially very easy solution, so how can I set up a proxy using Node that removes the X-Frame-Options header from responses?
Alternatively, why is Squid not removing the header even though I tried to set it up to do so?
Final alternative: Is there an easier way to reach my ultimate goal of rendering any page I want within an iframe?
I used a proxy, specifically mitmproxy with the following script:
drop_unwanted_headers.py:
import mitmproxy
def requestheaders(flow: mitmproxy.http.HTTPFlow) -> None:
for each_key in flow.request.headers:
if each_key.casefold().startswith("sec-".casefold()):
flow.request.headers.pop(each_key)
def responseheaders(flow: mitmproxy.http.HTTPFlow) -> None:
if "x-frame-options" in flow.response.headers:
flow.response.headers.pop("x-frame-options")
if "content-security-policy" in flow.response.headers:
flow.response.headers.pop("content-security-policy")
To run it, do:
mitmproxy --script drop_unwanted_headers.py
Also ensure that your proxy settings point to the computer where the proxy server is running (maybe localhost) and the correct port is used.
I have 2 (working well) applications providing APIs, old one is based on CodeIgniter 2.1 and new one on Yes It Is framework. I need to redirect some actions from old API to a new one. Routing should also provide filtering request methods such as GET, POST, PUT, DELETE etc.
Folder structure looks like this:
ci
yii
router
At first I wanted to redirect all traffic to router/index.php where depending on URI an appropriate app was loaded and started. It worked well with YII, but CI couldn't find it's controllers/models/actions.
Second idea was to use .htaccess, but I couldn't make CI, YII work neither. It's starting, but both of them cannot find it's controllers/models/actions. No errors are printed/logged into apache logs.
When those 2 apps are fired "normally" everything works properly.
I've been changing configuration paths (to absolute ones) and still nothing. I don't want to change those applications a lot, small fixes would be much better.
Also there should be no option to fire an app without checking URI with "routes".
Finally I stayed with PHP router as described in question post. It turn out that CodeIgniter couldn't find it's methods because predefined variable $_SERVER['SCRIPT_NAME'] contained a wrong path, since script was fired from another directory. I had it overridden in router file and everything seems to work properly now.
I'm not sure if this was a change in IIS 7 or if someone before me actively removed X-Server from the HTTP response headers but I need to be able to tell which server in the farm served the current page. I don't see X-Server in the custom variables section of IIS but I'm not sure if it was a custom variable in the first place or if it's in the defaults and it's been disabled via web.config. How do I get my headers back?
You can use custom headers (http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders) to add any header you like.
My question is posed in the title. But I ask also, instead of hiding it, isn't it possible to replace it by a custom value? Maybe over php or by editing the apache2 config?
Thank's in advance!
You could use mod_security for Apache, there is a directive called SecServerSignature it allows you to change the value of the Server header.
Another way would be to edit the the source code :)