14.3.3 - reword for clarifying the goal
elarlang opened this issue · 4 comments
Current requirement:
V14.3.3 Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of server-side components.
The goal is to not reveal information of server-side components. Those components may reveal it's information also, when those are making HTTP request, generating files etc.
One option, to go with more abstract requirement:
Verify that the application does not expose detailed version information of server-side components.
Or to list some examples (for direction, wording needs improvement):
Verify that the application does not expose detailed version information of server-side components, such as in HTTP response headers, in HTTP response body, in a generated file metadata, in HTTP request header if the server-side component makes an HTTP request.
I would suggest fully dropping 4.3.3. It doesn't help security any. There are so many modern fingerprinting services and capabilities that it's trivial to figure out exact what server tech you are using.
But if you do what to keep this, I prefer @elarlang suggestion to keep it abstract and simple.
Verify that the application does not expose detailed version information of server-side components.
Hiding the version does not fix the vulnerability. I think we just need to add a line about it into the section text, it applies to other requirements there as well.
Example for the meaning, using different wording is more than welcome:
Hiding the version of server-side components does not fix the need to patch all components and disabling the folder listing does not eliminate the need to use authorization controls or keep files away from the public folder, but it raises the bar.
So here are two questions:
- the requirement - is the abstract too abstract and actually it would be nice to list those examples. Then it is quite clear what is meant by that requirement
- the section text - I just proposed the idea, I feel that it requires some wordsmithing