[
https://issues.apache.org/jira/browse/WICKET-7004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Del Bene updated WICKET-7004:
------------------------------------
Affects Version/s: 9.11.0
(was: 9.12.0)
> Jetty config example contains security hazard
> ---------------------------------------------
>
> Key: WICKET-7004
> URL: https://issues.apache.org/jira/browse/WICKET-7004
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-quickstart
> Affects Versions: 9.11.0
> Reporter: Bram Bogaert
> Priority: Minor
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> Inside
> {{/wicket-archetype-quickstart/src/main/resources/archetype-resources/src/test/jetty/jetty.xml}}
> following setting can be found:
> {code:xml}
> <Set name="sendServerVersion">true</Set>
> {code}
> This results in each http response having a header like:
> {{Server : Jetty(9.4.46.v20220331)}}
> While none of this is a problem in itself (it is a test resource), it
> shouldn't be useful for tests and can be an example that could result in a
> security hazard. If one would copy this configuration for a Jetty production
> server, too much information would become readily accessible for people with
> bad intentions (reveals the server software + version number).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
