Web server security considerations
Be aware of the following security considerations for our web server and take the recommended actions to minimize any security exposure.
- Follow the security bulletins of your web server to ensure that we are aware of any potential issues that are considered to be security vulnerabilities. IBM security bulletins provide security risk assessment information to help you assess if a particular issue might impact our organization.
- Disable weak SSL protocols. For example, SSLv2 and SSLv3.
- Disable weak SSL ciphers. For example, RC4.
- Use TLSv1.2 with an AEAD cipher suite to maximize transport layer security and mitigate a potential POODLE attack. For information on how to enforce the use of TLSv1.2 with WebSphere Commerce, see Enforcing TLS Version 1.2.
Note: Older web browsers might not support TLSv1.2 by default. Use a protocol that allows the site to be secure, while still allowing customers access.
- Set up exception handling and disable standard web server behaviors to block requests that are designed to probe your web server. These requests can reveal information about the underlying technology and directory structure of the site.
- All 4xx status codes should redirect to a generic error page. For custom error handling, see WebSphere customized error pages.
- By default, most web servers identify themselves in each HTTP response. This information includes the web server software name and version. To disable this behavior on IBM HTTP Server, see
AddServerHeader Directive.
- Prevent host header injection by implementing RewriteRules to allow known hosts only. See Blocking unrecognized hostnames.For example,
RewriteEngine ON RewriteCond %{HTTP_HOST} !=www.mycompanyname.com RewriteCond %{HTTP_HOST} !=mycompanyname.com ... RewriteRule .* - [F]