Vulnerabilities "Server Information Disclosure" and "Missing Secure Attribute"

Hello Ranbir, it sounds like those two vulnerabilities were revealed in the output from a web application vulnerability scanner. A quick way to see if they're easily resolved is to create a security policy in ASM using the "third party vulnerability scanner" output option when you start the deployment wizard. Import the XML-based vulnerability output file into ASM, and then locate those two vulnerabilities in the list. It is possible that ASM will mark them as "resolvable" and you might be able to simply select each one in the GUI and then click "resolve" or "resolve and stage." At that point, you could run the scan again, and any vulnerabilities resolved by ASM should no longer appear.

So, ASM will remove the Server header by default if it's enabled on the VIP.

If you haven't got ASM then irules will be your friend here. See the following links:

SOL11324: Setting the secure attribute for HTTP cookies

HTTP::header wiki

This will have an example on how you can loop through headers and remove any that you want.

Hope this helps,

N