[appserver-io/webserver] Hide sensitive header vars

Question

[appserver-io/webserver] Hide sensitive header vars

Opened this issue 9 years ago · 0 comments

appserver.io per default exposes information which can be used against it. This can be considered a light information leakage vulnerability as a potential attacker can use the exposed information to tailor an attack.
An example is the Server header field which per default contains the appserver AND the used PHP version.
This can be used to simply look up known vulnerabilities for both.

UAC:

There MUST NOT be default exposure of information which can be directly linked to known vulnerabilties