Remove a ISAM for Web Response Header

If you want to hide a header from a junctioned server, it is possible to remove it using a HTTP Transformation rule.

The steps to making a HTTP Transformation rule are fairly well documented here:

On the appliance, you need to either create the XSL HTTP Transformation rule and upload it, or you can edit it on the box.

What is missing from the documentation is more examples. So I’ve posted an example here of removing the “X-Powered-By” header from the server.


<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="" version="1.0">
    <!--Firstly, strip any space elements -->
    <xsl:strip-space elements="*" />

    <!-- Perform a match on the root of the document. 
         Output the required HTTPResponseChange elements 
         and then process templates. -->
    <xsl:template match="/">
            <xsl:apply-templates />

    <!-- Match on the Headers. Remove the x-powered-by header if it exists. -->
    <xsl:template match="//HTTPResponse/Headers">
            <xsl:when test="Header/@name='x-powered-by'">
                <Header action="remove" name="x-powered-by">
                    <xsl:value-of select="node()" />

Once uploaded to the server, deploy the changes and you can then make the transformation rule available to the WebSEAL instance.
Edit the WebSEAL configuration file under the [http-transformations] stanza.


# The http-transformations stanza is used to house configuration information
# whichis necessary for thesupport of WebSEAL HTTP transformations.
# WebSEAL HTTP transformations are used to modify HTTP requests and
# HTTP responses (excluding the HTTP body) using XSLT.
# To enable the HTTP transformations for a particular object a POP should
# be attached to the appropriate part of the object space.  This POP
# should contain an extended attribute(s) with name of 'HTTPTransformation'
# and a value of 'Request=<resource-name>' and/or 'Response=<resource-name>'.
# HTTP transformation resources canbe defined by specifying the resource name
# and the path to the resource file.
# Format is:
#<resource-name> = <path-to-resource-xsl-file>

# The following files are currently available for this configuration entry:
# If you have deployed your XSL correctly it should be listed here
# - another.xsl 

removeheader = another.xsl

The resource removeheader is now available for our http transformation POP.
(Note: Case sensitive here “Response” vs “response”.)


Create a new POP, with an extended attribute “HTTPTransformation” and the value of “Response=removeheader”, and attach to the desired object space object.


XSL is not always the simplest thing to troubleshoot, so I recommend watching the WebSEAL message log, for example:

2014-06-30-17:38:19.907+10:00I----- 0x38B9A4B4 webseald ERROR wns httperrs 
XMLHTTPMessage.cpp 379 0x7f645216f700 -- DPWNS1204E   The XML element Header 
was missing from the document generated by a HTTP transformation operation.
2014-06-30-17:43:12.772+10:00I----- 0x1005B3B5 webseald ERROR acl authzn 
HTTPTransformationRule.cpp 83 0x7f77fe301720 -- HPDAC0949E   Validation of 
the rule text for rule object 
"/var/pdweb/shared/xslt/http-transformation/another.xsl" failed. Error code 
0xffffffff was returned along with error message "XSLT Error: Element 
'xsl:when' not parented by 'xsl:choose'. 
(/var/pdweb/shared/xslt/http-transformation/another.xsl, line 59, column 50.)--"

And additional logging can be found by enabling trace on the component:


server task <instance> trace set pdweb.http.transformation 9 file path=trace.log

Are you looking to supress the “Server” header too? WebSEAL can do this easily with configuration, see the WebSEAL configuration option:


# WebSEAL writes a Server header with the value "WebSEAL/version.number"
# with most responses (except those from a junctioned server).
# Including this header can be suppressed by setting this to "yes".
suppress-server-identity = yes

# For responses that were from a junctioned server, WebSEAL writes the Server
# header sent in the response from the backend. If the backend response did not
# include a Server header, then WebSEAL will not write any Server header to the
# client.
# Writing this header can be suppressed by setting this to "yes".
suppress-backend-server-identity = yes

One thought on “Remove a ISAM for Web Response Header

  1. Great and helpful article.

    please add that in POP one has to be careful about case sensitive feature! 😦

    These two are not the same, that is, second doesn’t work and shows nothing in logs (or trace)

    pdadmin sec_master> pop show pop_first attribute HTTPTransformation
    pdadmin sec_master> pop show pop_second attribute HTTPTransformation

    tnx again for your article(s)


Comments are closed.

Website Built with

Up ↑

%d bloggers like this: