+1.
On Tue, Aug 13, 2013 at 12:21 AM, Hiranya Jayathilaka <hiranya...@gmail.com>wrote: > I went through the HTTP spec, and it looks like the existing Synapse > behavior is correct after all. Here's what the spec has to say: > > If the response is being forwarded through a proxy, the proxy application > MUST NOT modify the Server response-header. Instead, it SHOULD include a > Via field (as described in section > 14.45<http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.45> > ). > > Note: Revealing the specific software version of the server might > allow the server machine to become more vulnerable to attacks > against software that is known to contain security holes. Server > implementors are encouraged to make this field a configurable > option. > > So may we should keep the current default behavior and perhaps add the > "Via" header to the response, as suggested. > > Thanks, > Hiranya > > On Aug 11, 2013, at 10:41 PM, Hiranya Jayathilaka <hiranya...@gmail.com> > wrote: > > On Aug 11, 2013, at 10:51 AM, Sanjiva Weerawarana <sanj...@opensource.lk> > wrote: > > IMO the Server head should by default be set by Synapse to say "Apache > Synapse vX.Y.Z" or something like that and have an option to forward that > of the backend. > > > +1 to the suggested default behavior. > > We already have a (undocumented) configuration option to control this. > It's just that the current default behavior is to pass the "Server" header > sent by the backend server. > > Thanks, > Hiranya > > > I guess we should probably look at what a reverse proxy like nginx does by > default and do whatever they do .. as that's the role of Synapse in > HTTP-HTTP routing. > > Sanjiva. > > > On Sun, Aug 11, 2013 at 8:23 PM, Rajika Kumarasiri < > rajika.kumaras...@gmail.com> wrote: > >> I meant it's better not to include that header by default since it can be >> considered a security issue. But as you have suggested we also need a way >> to configure the header. >> >> Rajika >> >> >> On Sun, Aug 11, 2013 at 1:52 AM, Hiranya Jayathilaka < >> hiranya...@gmail.com> wrote: >> >>> Hi Rajika, >>> >>> On Aug 10, 2013, at 10:42 PM, Rajika Kumarasiri < >>> rajika.kumaras...@gmail.com> wrote: >>> >>> +1. Should be use-if-available. >>> >>> >>> Are you implying that the current behavior is correct (i.e. passing the >>> Http "Server" header to the client)? >>> >>> Thanks, >>> Hiranya >>> >>> >>> Rajika >>> >>> >>> On Sun, Aug 11, 2013 at 12:30 AM, Hiranya Jayathilaka < >>> hiranya...@gmail.com> wrote: >>> >>>> I noticed that both PT and NHTTP transports pass the "Server" header >>>> sent from the backend server to the client. This is the default programmed >>>> behavior, and it can be overridden if needed using a configuration >>>> parameter. But is the default behavior correct? Shouldn't Synapse >>>> completely hide the backend server details from the client? >>>> >>>> Thanks, >>>> Hiranya >>>> >>>> -- >>>> Hiranya Jayathilaka >>>> Mayhem Lab/RACE Lab; >>>> Dept. of Computer Science, UCSB; http://cs.ucsb.edu >>>> E-mail: hira...@cs.ucsb.edu <hira...@wso2.com>; Mobile: +1 (805) >>>> 895-7443 >>>> Blog: >>>> http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> >>>> >>>> >>> >>> -- >>> Hiranya Jayathilaka >>> Mayhem Lab/RACE Lab; >>> Dept. of Computer Science, UCSB; http://cs.ucsb.edu >>> E-mail: hira...@cs.ucsb.edu <hira...@wso2.com>; Mobile: +1 (805) >>> 895-7443 >>> Blog: >>> http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> >>> >>> >> > > > -- > Sanjiva Weerawarana, Ph.D. > Founder, Director & Chief Scientist; Lanka Software Foundation; > http://www.opensource.lk/ > Founder, Chairman & CEO; WSO2; http://wso2.com/ > > Blog: http://sanjiva.weerawarana.org/ > > > -- > Hiranya Jayathilaka > Mayhem Lab/RACE Lab; > Dept. of Computer Science, UCSB; http://cs.ucsb.edu > E-mail: hira...@cs.ucsb.edu <hira...@wso2.com>; Mobile: +1 (805) 895-7443 > Blog: > http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> > > > -- > Hiranya Jayathilaka > Mayhem Lab/RACE Lab; > Dept. of Computer Science, UCSB; http://cs.ucsb.edu > E-mail: hira...@cs.ucsb.edu <hira...@wso2.com>; Mobile: +1 (805) 895-7443 > Blog: > http://techfeast-hiranya.**blogspot.com<http://techfeast-hiranya.blogspot.com/> > > -- Sanjiva Weerawarana, Ph.D. Founder, Director & Chief Scientist; Lanka Software Foundation; http://www.opensource.lk/ Founder, Chairman & CEO; WSO2; http://wso2.com/ Blog: http://sanjiva.weerawarana.org/
