Constraining the Apache Server ETag Header to Prevent iNode Disclosure within Secure Global Desktop (Doc ID 2145366.1)

Last updated on AUGUST 31, 2017

Applies to:

Oracle Secure Global Desktop - Version 5.1 to 5.3 [Release 5.0]
Information in this document applies to any platform.

Goal

Secure Global Desktop (SGD) Administrators may be interested in tailoring the configuration of the bundled Apache server to prevent inode information from being presented to external users within the FileEtag response header.

Note: Depending upon configuration, the server's Etag response header may provide sensitive information, such as the inode number of requested files.  This practice has fallen from favor, and may be flagged by security scans.  The FileETag directive is a native Apache parameter, discussed in detail within the project's online documentation at: http://httpd.apache.org/docs/2.2/mod/core.html#FileETag

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms