Minimize Client-Side Information Leakage

Where possible, service banners should be removed or modified to minimize

the disclosure of specific software versions, and so on. The steps needed to

implement this measure are dependent upon the technologies in use. For

example, in Microsoft IIS, the 

Server

in the IISLockDown tool. In later versions of Apache, this can be achieved

using the 

mod_headers

module. Because this information is subject to change,

it is recommended that you consult your server documentation before carry-

ing out any modifications. 

All comments should be removed from client-side code that is deployed to

the live production environment, including all HTML and JavaScript. 

Particular attention should be paid to any thick-client components such as

Java applets and ActiveX controls. No sensitive information should be hidden

within these components. A skilled attacker can decompile or reverse engineer

these components to effectively recover their source code (see Chapter 5).