[jira] [Commented] (DRILL-7367) Remove Server details from response headers

Sat, 07 Sep 2019 20:01:19 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16925037#comment-16925037
 ] 

ASF GitHub Bot commented on DRILL-7367:
---------------------------------------

gparai commented on pull request #1851: DRILL-7367: Remove Server details from 
response headers
URL: https://github.com/apache/drill/pull/1851
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Remove Server details from response headers
> -------------------------------------------
>
>                 Key: DRILL-7367
>                 URL: https://issues.apache.org/jira/browse/DRILL-7367
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Arina Ielchiieva
>            Assignee: Arina Ielchiieva
>            Priority: Major
>              Labels: ready-to-commit
>             Fix For: 1.17.0
>
>
> Drill response headers include Server information which is considered to be a 
> vulnerability.
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> *   Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 12:47:53 GMT
> < Content-Type: application/json
> < Content-Length: 436
> < Server: Jetty(9.3.25.v20180904)
> ...
> {noformat}
> https://pentest-tools.com/blog/essential-http-security-headers/
> After the fix headers should be without server information:
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> *   Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 13:55:25 GMT
> < Content-Type: application/json
> < Content-Length: 436
> ...
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to