Information Disclosure via X-Mod-Pagespeed Header
Description
The 'X-Mod-Pagespeed' header indicates that Google's PageSpeed module is active on the server, revealing potential caching, optimization, or rewriting configurations. Attackers who identify this module may target known vulnerabilities, default configurations, or specific rewriting rules in PageSpeed. They could also attempt cache poisoning, manipulate optimization parameters, or exploit potential flaws in how resources are combined, compressed, or served. Ultimately, disclosing the PageSpeed module and its version can expand the attack surface by giving adversaries a clear understanding of which optimization tools are in use.
Remediation
Remove or mask the 'X-Mod-Pagespeed' header in production environments to prevent external clients from learning about optimization mechanisms. Configure the PageSpeed module or your web server settings to suppress identifying headers. Keep PageSpeed and related components up to date with the latest security patches and best practices. If you use reverse proxies, load balancers, or CDNs, ensure they do not re-inject or preserve these headers. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor for malicious attempts targeting PageSpeed vulnerabilities. Regularly review your server configuration to confirm no sensitive information about the optimization framework is inadvertently exposed.
References
https://developers.google.com/speed/pagespeed/modulehttps://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4