1

I have a web site that does E-commerce. We've been dinged about our security not being PCI DSS compliant because our AWS based servers are returning an HTTP response with:

Server: CloudFront

as a parameter. I can see how advertising your server type as being a clue for hackers, but I've been unable to find any references as to how to shut this off in CloudFront or WAF (I do see references to shutting it off in Apache HTTP). Our actual server is a Linux system, and CloudFront is obfuscating this information by rewriting the header, but how can I remove it? Or is simply rewriting it as CloudFront adequate?

wdtj
  • 4,554
  • 3
  • 17
  • 20
  • This type of information disclose should not cause a pci scan to fail. What level is it giving for this vulnerability? – Rodrigo Murillo Jan 09 '20 at 07:52
  • Sorry, but the complaint has gone through several levels of management so all I was told is that we should not be sending the header. I have fixed it for Apache HTTP and management was happy with that. – wdtj Jan 09 '20 at 14:56

1 Answers1

0

You you cannot remove this header. The Server header is mandatory. You can change its value to some other keyword like generic, using Lambda@Edge

See Cloudfront and Lambda@Edge: Remove response header

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50