• Type: New Feature
• Resolution: Won't Do
• Priority: Minor
• Component/s: winstone-jetty
• Labels:

  None

[JENKINS-39436] Allow to deactivate "Server HTTP Header"

Emilio Escobar created issue - 2016-11-02 10:43

Emilio Escobar made changes - 2016-11-02 10:43

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Emilio Escobar made changes - 2016-11-02 11:20

Remote Link

New: This issue links to "PR (Web Link)" [ 15010 ]

Emilio Escobar made changes - 2016-11-02 13:36

Description

Original: Support sendServerVersion option to unset server version http header.

New: Support sendServerVersion option to unset server version http header. There is a HTTP header which returns the Jetty server version: plata:winstone escoem$ curl -I https://JENKINS_SERVER/ HTTP/1.1 302 Found Date: Wed, 02 Nov 2016 13:32:14 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: https://JENKINS_SERVER/securityRealm/commenceLogin?from=%2F *Server: Jetty(9.2.z-SNAPSHOT)* Set-Cookie: JSESSIONID.dsaw=daseawew;Path=/;Secure;HttpOnly X-Content-Type-Options: nosniff X-Hudson: 1.395 X-Hudson-CLI-Port: 10081 X-Jenkins: 2.7.4.4 X-Jenkins-CLI-Host: IP X-Jenkins-CLI-Port: 10081 X-Jenkins-CLI2-Port: 10081 X-Jenkins-Session: dsaw Connection: keep-alive Jetty support a configuration option for sending or not the Server version (by default is sent).

Collapse comment: Arnaud Héritier added a comment - 2016-11-02 14:08

Arnaud Héritier added a comment - 2016-11-02 14:08

For me having the ability to remove the Server HTTP header is a common practice.
We are all agree that it is a really poor practice (security by obscurity) but at least it is supposed to help to detect less easily some kind of servers with a quick scan
In our case this option should also be used from my POV to hide our own versions headers : X-Jenkins and X-Hudson (lol)

Expand comment: Arnaud Héritier added a comment - 2016-11-02 14:08

Arnaud Héritier added a comment - 2016-11-02 14:08 For me having the ability to remove the Server HTTP header is a common practice. We are all agree that it is a really poor practice (security by obscurity) but at least it is supposed to help to detect less easily some kind of servers with a quick scan In our case this option should also be used from my POV to hide our own versions headers : X-Jenkins and X-Hudson (lol)

Arnaud Héritier made changes - 2016-11-02 14:09

Summary

Original: Add sendServerVersion option

New: Allow to deactivate "Server HTTP Header"

Collapse comment: Emilio Escobar added a comment - 2017-10-31 09:14

Emilio Escobar added a comment - 2017-10-31 09:14

According to comments like https://github.com/jenkinsci/winstone/pull/25#issuecomment-335529372 the PR won't be merged so resolving as Won't Do.

Expand comment: Emilio Escobar added a comment - 2017-10-31 09:14

Emilio Escobar added a comment - 2017-10-31 09:14 According to comments like https://github.com/jenkinsci/winstone/pull/25#issuecomment-335529372 the PR won't be merged so resolving as Won't Do.

Emilio Escobar made changes - 2017-10-31 09:14

Resolution		New: Won't Do [ 10001 ]
Status	Original: In Progress [ 3 ]	New: Resolved [ 5 ]

Daniel Beck made changes - 2018-09-18 14:17

Link

New: This issue is duplicated by SECURITY-1165 [ SECURITY-1165 ]