Do not display the jetty version number
For security reasons, it seems important to stop sending the Jetty version number.
All this in order to strengthen the security of Rudder (in case of pentest for example).
To disable the display of the version number:
Updated by François ARMAND about 1 year ago
Can you be more precise where you want to hide it?
If it's in response header, AFAIK it's filtered out by apache, and so it's only viewable on localhost (and if you are localhost, you can already see much more with ps or whatever).
But, right, it's not a big deal to set the VM option (it's more to understand the criticity of the problem).
Updated by François ARMAND 5 months ago
Actually, we want to set the option by default in all case: there is no case where we want to send these informations, be it in local or not.
And we should remove the header rewrite from Apache config (from https://issues.rudder.io/issues/11160) to simplify things in a following minor.
Updated by Elaad FURREEDAN 5 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Elaad FURREEDAN to Alexis MOUSSET
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2554
Updated by Anonymous 5 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|d8c3c161cbd49dfa6aacccaf43dab97d1e0fb046.