-
New Feature
-
Resolution: Won't Do
-
Minor
-
None
Support sendServerVersion option to unset server version http header.
There is a HTTP header which returns the Jetty server version:
plata:winstone escoem$ curl -I https://JENKINS_SERVER/
HTTP/1.1 302 Found
Date: Wed, 02 Nov 2016 13:32:14 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://JENKINS_SERVER/securityRealm/commenceLogin?from=%2F
Server: Jetty(9.2.z-SNAPSHOT)
Set-Cookie: JSESSIONID.dsaw=daseawew;Path=/;Secure;HttpOnly
X-Content-Type-Options: nosniff
X-Hudson: 1.395
X-Hudson-CLI-Port: 10081
X-Jenkins: 2.7.4.4
X-Jenkins-CLI-Host: IP
X-Jenkins-CLI-Port: 10081
X-Jenkins-CLI2-Port: 10081
X-Jenkins-Session: dsaw
Connection: keep-alive
Jetty support a configuration option for sending or not the Server version (by default is sent).
- links to
[JENKINS-39436] Allow to deactivate "Server HTTP Header"
According to comments like https://github.com/jenkinsci/winstone/pull/25#issuecomment-335529372 the PR won't be merged so resolving as Won't Do.
For me having the ability to remove the Server HTTP header is a common practice.
We are all agree that it is a really poor practice (security by obscurity) but at least it is supposed to help to detect less easily some kind of servers with a quick scan
In our case this option should also be used from my POV to hide our own versions headers : X-Jenkins and X-Hudson (lol)