This is the second blog in our “Hidden Helpers” series on HTTP headers. Part one explains what HTTP headers are and why you should look to them when securing your application.
If somebody is trying to break into your house, there’s a great chance you’ll hear a window break or a door get forced open. However, this becomes less likely if you tell an attacker that the windows can easily be opened or the lock on your back door isn’t working.
The same holds true for application security. Attackers looking to compromise your system will attempt a variety of attack techniques, hoping that one sticks. If you’re monitoring your site’s traffic, there’s a good chance you’ll see a great deal of successful attacks and you will be able to react accordingly (call 911 if it’s your house, and 1-844-RAPID-IR if it’s your site).
When you present headers to attackers that are not required to use your application, you are possibly sharing information that will increase the potency and reduce the detectability of an attack.
Don’t overshare
When building HeaderInspector, I evaluated the Moz Top 500 sites and found that 85% of them share the type of web server they use (such as Apache, Nginx, etc.). Others share the version as well.
Part of this is due to the fact that Apache is still a major web server, when looking from a domain quality standpoint. And this web server requires ..
Support the originator by clicking the read the rest link below.
