2 Replies Latest reply on Jun 6, 2016 8:33 AM by Jamie Metcalf

    Hide HTTP Header of Web Server

    Jamie Metcalf

      I have a requirement to hide the HTTP Header on the web server, specifically the "Server:" line of the HTTP Header so that it doesn't say Tableau, for higher security.

       

      Tableau support says changing or hiding the HTTP Header is not currently a feature.

       

      I found this site that says you can change the HTTP Header in Apache by adding a line to the httpd.conf file, but only if the mod_Headers module is installed and loaded.

       

      I can see in the httpd.conf file that this module is not loaded, and I have no clue if it's installed or not.

       

      Has anyone else had to do this?

        • 1. Re: Hide HTTP Header of Web Server
          Russell Christopher

          I'm not sure which httpd.conf you're looking at, but the one I spy with my little eye in \programdata\tableau\tableau server\data\tabsvc\config does have that module loaded. And I even see a Header command  on line 226 of the file being used to add a Platform for Privacy Preferences policy notice (Header append P3P 'CP="Non"')

           

          That policy shows up loud and clear in the Headers when I connect to Tableau in the browser...

           

          That said, touching the file yourself is verboten and changing it generally means support won't assist with problems "as-is" since the product is not tested with "your" changes -- you'd have to put the machine back the way it was, etc. etc.

           

          So, looks like you might be able to do this, but the million dollar question is whether you want to take the risk and put yourself outside of support.

           

          ...Realistically, I probably wouldn't bother making the change since I assume anyone who can look in online help or read forums like this will know we run Apache anyway.  In my mind the supportability / "I might break something " risk is scarier than a bad guy knowing what web server I'm running.

           

          FYI - I don't see the version of Apache being reported in the headers if that makes you any better

           

          Happy hacking!

           

           

          Edit: Just looked more closely at this, and now I see what you're talking about: Server: Tableau coming from individual processes. I also see that most of these suckers have a distinct server.xml config file a little bit further into the filesystem in...\config\<service name>. These xml files contain server=Tableau key / value pairs. For giggles, I changed them on one service to server=foobar and restarted....No change. So it appears additional hunting with a tool like Agent Ransack would need to be done to try and figure this out...

          • 2. Re: Hide HTTP Header of Web Server
            Jamie Metcalf

            Thanks for your help

             

            The httpd.conf I was looking at is in \Program Files\Tableau\Tableau Server\8.2\apache\conf\original

             

            I am waiting for a verdict on whether the business wants me to wreck the .xml/.conf files, migrate to a different non-Tableau solution, or negotiate with the security directive.

             

            If I end up wrecking .xml/.conf files I'll post with any results I get.