Project

General

Profile

Actions

Bug #11160

closed

We should not send Jetty version in header response

Added by François ARMAND over 7 years ago. Updated over 7 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

We have a response header telling Jetty version:

Server "Jetty(7.6.21.v20160908)" 

This is the default behavior for jetty and is a little dumb: at best, it leaks information usable to forge an attack.

We should disable that, either by removing the header in apache, or by changing to "false" the value of attribute "sendServerVersion" in file "/opt/rudder/jetty7/etc/jetty.xml"


Related issues 2 (0 open2 closed)

Related to Rudder - Bug #11159: JSESSION cookie should be "secure"ReleasedBenoît PECCATTEActions
Related to Rudder - Bug #19163: Do not display the jetty version numberReleasedAlexis MoussetActions
Actions

Also available in: Atom PDF