An attacker’s life is made easier by revealing system information, which provides them with a playbook of vulnerabilities to probe for. Although it may not be possible to completely obscure your technology stack, a few simple steps can deter most attackers. Scrub any debug or error information that may reveal what is happening behind the scenes – this is typically where an attacker will look for vulnerabilities first.
When a zero-day vulnerability is discovered, hackers immediately attempt to exploit it. If your website exposes information about the technology you use, you may become vulnerable to automated attacks.
Solution
Disable the “Server” HTTP Header and Other Related Headers.
Make sure to disable any HTTP response headers that reveal the server technology, language, and version in your web server configuration.
Make use of Clean URLs.
Avoid using file suffixes like.php,.asp, and.jsp in URLs; instead, use clean URLs.
Check that the cookie parameters are generic.
Make certain that no information about the technology stack is returned in cookies. This includes distinguishing parameter names, which should be as generic as possible.
Turn off Client-Side Error Reporting.
When unexpected errors occur, most web server stacks allow you to enable verbose error reporting, which means stack traces and routing information are printed in the HTML of the error page. Check that this is turned off in your production environment. In your testing environment, log files and other error reporting systems are useful, but in production, error reporting should be limited to the server-side.
Ensure that unexpected errors result in a generic HTTP 500 page. This may necessitate explicitly catching unexpected exceptions thrown while handling web requests, depending on your technology stack.
Sanitize Data Sent to the Client
Make sure that pages and AJAX responses only return the information that is required. If possible, database IDs should be obfuscated – and if you retain sensitive data for users, make sure it is only sent to the client-side in contexts where sharing is permitted.
JavaScript should be obfuscated.
This will make your pages load faster and make it more difficult for an attacker to probe for client-side vulnerabilities.
Cleanse Template Files
Use code reviews and static analysis tools to ensure that sensitive data does not end up in comments or dead code that is passed to the client.
Ensure that your web root directory is correctly configured.
Make sure to keep public and configuration directories separate, and that everyone on your team understands the distinction.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.