• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Tweaking IBM HTTP Server (IHS) for Production Environment

    HTTP Server by IBM is often used in combination with IBM WebSphere Application Server. Some of the popular sites using IBM HTTP Server are:

    • Airtel.in
    • Marriott.com
    • Hsbc.co.uk
    • Mercedes-benz.com.eg
    • Argos.co.uk

    IHS is based on Apache HTTP Server, however, tweaked by IBM to support enterprise applications and maintenance support. It holds very less market share in web server world but still widely used with WebSphere Application Server.


    Default IHS configuration supply much sensitive information, which can help hacker to prepare for an attack and interrupt business operation. As an administrator, you should be aware of hardening the IHS configuration to secure the web applications.

    In this article, I will explain how to make IHS production ready environment to keep safe & secure.

    Few things: –

    • You have IHS installed on Linux environment if not, you can refer installation guide here.
    • You are advised to take a backup of a configuration file.
    • You have HTTP Header extensions in a browser or you can use Header Checker online tool.
    • Due to a length of the article, I will talk about SSL configuration in next post.

    Hide Server Banner and Product Info from HTTP Header

    Probably one of the first tasks to do while setting up production environment is to mask IHS version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS compliant application.

    Let’s take a look at how non-exist (404) request response in the default configuration.


    Oh no, it reveals I am using IBM HTTP Server along with server IP and port number, which is ugly. Let’s hide them.

    Solution: –

    • Add following three directives in httpd.conf file of your IHS.
    AddServerHeader Off
    ServerTokens Prod
    ServerSignature Off
    • Save the file and restart the IHS

    Let’s verify by accessing a non-exist file. You may also use HTTP Header tool to verify the response.


    Much better! Now it doesn’t give product, server and port information.

    Disable Etag

    Etag header may reveal inode information and can help hacker to execute NFS attacks. By default IHS reveal the etag and here is how you can remediate this vulnerability.


    Solution: –

    • Add the following directive in a root directory.
    FileETag none

    For ex:

    <Directory />
       Options FollowSymLinks
       AllowOverride None
       FileETag none
    • Restart the IHS server to take effect.


    Run IHS with non-root Account

    Default configuration run a web server with root & nobody user which is not advisable as running through privileged account may impact the whole server in case of a security hole. To limit the risk, you may create a dedicated user to run IHS instances.

    Solution: –

    • Create user and group called ihsadmin
    groupadd ihsadmin
    useradd –g ihsadmin ihsadmin

    Now, change the IHS folder ownership to ihsadmin so newly created user has full permission on it. Assuming you have installed on default location – /opt/IBM/HTTPServer

    chown –R ihsadmin:ihsadmin /opt/IBM/HTTPServer

    Let’s change User & Group value in httpd.conf

    User ihsadmin
    Group ihsadmin

    Save the httpd.conf and restart the IHS server. This will help IHS to start as ihsadmin user.

    Implement HttpOnly and Secure flag in Cookie

    Having cookie secured and httponly will help you in reducing the risk of XSS attacks.

    Solution: –

    In order to implement this you must ensure mod_headers.so is enabled in httpd.conf.

    If not, uncomment the below line in httpd.conf

    LoadModule headers_module modules/mod_headers.so

    And add below Header parameter

    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

    Save the configuration file and restart the web server.

    Mitigate Clickjacking attack

    The clickjacking technique is well known where an attacker can trick users to click on a link and execute embedded code without the user’s knowledge.

    Solution: –

    • Ensure mod_headers.so is enabled and add below header parameter in httpd.conf file
    Header always append X-Frame-Options SAMEORIGIN
    • Save the file and restart the server.

    Let’s verify by accessing the URL, it should have X-Frame-Options as shown below.


    Configure Listen Directive

    This is applicable if you are having multiple Ethernet interface/IP on the server. It’s advisable to configure absolute IP and Port in Listen directive to avoid DNS requests getting forwarded. This is often seen in shared environment.

    Solution: –

    • Add intended IP and Port in httpd.conf under Listen directive. Ex:-

    Add X-XSS-Protection

    You may apply Cross for Site Scripting (XSS) protection by implementing the following header if it’s disabled in the browser by the user.

    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"

    Disable Trace HTTP Request

    Having Trace method enabled in web server may allow Cross Site Tracing Attack and possible to steal cookie information. By default, this is enabled and you can disable them with below parameter.

    Solution: –

    • Modify httpd.con file and add below line
    TraceEnable off
    • Save the file and restart the IHS instance to take effect.

    I hope above tips helps you harden the IBM HTTP Server for a production environment.