[ https://issues.apache.org/jira/browse/WICKET-7004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrea Del Bene updated WICKET-7004: ------------------------------------ Affects Version/s: 9.11.0 (was: 9.12.0) > Jetty config example contains security hazard > --------------------------------------------- > > Key: WICKET-7004 > URL: https://issues.apache.org/jira/browse/WICKET-7004 > Project: Wicket > Issue Type: Improvement > Components: wicket-quickstart > Affects Versions: 9.11.0 > Reporter: Bram Bogaert > Priority: Minor > Original Estimate: 0.5h > Remaining Estimate: 0.5h > > Inside > {{/wicket-archetype-quickstart/src/main/resources/archetype-resources/src/test/jetty/jetty.xml}} > following setting can be found: > {code:xml} > <Set name="sendServerVersion">true</Set> > {code} > This results in each http response having a header like: > {{Server : Jetty(9.4.46.v20220331)}} > While none of this is a problem in itself (it is a test resource), it > shouldn't be useful for tests and can be an example that could result in a > security hazard. If one would copy this configuration for a Jetty production > server, too much information would become readily accessible for people with > bad intentions (reveals the server software + version number). -- This message was sent by Atlassian Jira (v8.20.10#820010)