Testing the Security of Your Website – Part 1

Error Page

You have to configure your website to either redirect the user to its homepage or to show a custom error page when a user tries to load a non-existent page. Otherwise, most web servers will advertise its name and version. Knowing the name and version of the web server software, a hacker can look online for known security flaws with the software you are using and try to exploit them.

Simply try to load https://www.yourwebsite.com/asjgasja or any set of random characters as the name of a page and see what is displayed. In Figures 5 and 6, we give two examples of websites that are not correctly configured, and we could easily discover that the first one (Figure 5) is running nginx version 1.4.2, while the second one (Figure 6) is running Apache version 2.2.8.

Figure 5: Website without a custom error page displaying the name and version of the server software

Figure 6: Website without a custom error page displaying the name and version of the server software

The way this is fixed depends on the server software and whether you have full access to the server where your website is hosted or not. If you have full access to the webserver, you should edit the httpd.conf file, add the lines below , and restart Apache (assuming that you are using Apache, which is the most popular webserver software available).

ErrorDocument 403 https://www.yourwebsite.com

ErrorDocument 404 https://www.yourwebsite.com

If you do not have this kind of access, you should discuss this configuration with your hosting company.