Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: 2.5.1
Affects Version/s: 2.4 GA, SaaS
Component/s: Gateway
Labels:
- support

3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
QE Test Coverage:
+
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%
Target Release:

2.5.1

SFDC Cases Links:
SFDC Cases Counter:

Description

For security reasons, it's sometimes desired to NOT include the openresty version number in response headers and error response bodies.

For example take note of '1.13.6.2' in the Server header and response body:

HTTP/1.1 504 Gateway Time-out
Server: openresty/1.13.6.2
Date: Thu, 28 Feb 2019 16:20:43 GMT
Content-Type: text/html
Content-Length: 189
Connection: keep-alive

<html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>openresty/1.13.6.2</center>
</body>
</html>

To prevent this, you can set `server_tokens off;` in the nginx conf in the http block.

Results in:

HTTP/1.1 504 Gateway Time-out
Date: Thu, 28 Feb 2019 16:09:40 GMT
Content-Type: text/html
Content-Length: 180
Connection: keep-alive

<html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>openresty</center>
</body>
</html>

Ideally this would be set via SERVER_TOKENS=off or some such environment variable.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Shannon Poole

Developer:: Michal Cichra (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2019/02/28 11:24 AM

Updated:: 2023/03/22 7:57 AM

Resolved:: 2019/05/13 6:25 AM