I want to fulfill OWASP ASVS 14.3.3 <https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v143-unintended-security-disclosure-requirements> requirement, which stands:
14.3.3 Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components. For ActiveMQ broker. I have a problem with STOMP protocol CONNECTED message which looks like this: CONNECTED server:ActiveMQ/5.15.9 heart-beat:0,10000 session:ID:localhost.local-36323-1578488170638-3:15 version:1.2 user-name:u...@example.com And reveal(to hypothetical evil one) my ActiveMQ broker version So my question is how to hide the whole server header or if it is not possible maybe its version part. After some research, I have found that this can be done by little hacking 1. As header server is set by constant BROKER_VERSION in code here <https://github.com/apache/activemq/blob/activemq-5.15.11/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java#L791> 2. And the value of constant BROKER_VERSION is read here <https://github.com/apache/activemq/blob/activemq-5.15.11/activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/ProtocolConverter.java#L89> from classpath location /org/apache/activemq/version.txt 3. We have to override the content of /org/apache/activemq/version.txt which surprisingly reside in activemq-client This solution works but it is inconvenient for hiding this version in a docker container or helm package, maybe there is another solution or maybe should I create an enhancement request for ActiveMQ to allow configure it somehow? PS I asked about this also on stackoverflow <https://stackoverflow.com/questions/59660175/how-to-hide-activemq-broker-version-in-stomp-connected-server-header> -- Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
