• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Changing Apache FileETag for PCI Compliance

DickenW

New Pleskian
My Plesk server is currently failing PCI scans:

"Description: Apache ETag header discloses inode numbers Severity: Potential Problem CVE: CVE-2003-1418 Impact: A remote attacker could determine inode numbers on the server."

I have added the following line to '/etc/httpd/conf/httpd.conf':

FileETag MTime Size

I have added it twice - in the main body of the file, and also inside the primary <Directory> directive, as I was not sure where to place it.

But, Apache is still failing the PCI scans for disclosing inode numbers.

And yes, I restarted apache ;)

Any ideas what else I have to change to get this to work?
(Plesk 10.3.1 CentOs)
 
Add this to a file within /etc/httpd/conf.d/ (assuming you're on Centos) :

Header unset ETag
FileETag MTime Size

Then restart Apache (and make sure you're not declaring something different in your .htaccess files!)
 
Back
Top