[Bug] X-Powered-By header is expose
mcujba opened this issue · 5 comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
x-powered-by expose php version.
~ curl --head https://bookstack.site.com
HTTP/2 302
date: Mon, 23 Sep 2024 10:38:02 GMT
content-type: text/html; charset=utf-8
location: https://bookstack.site.com/login
server: nginx
x-powered-by: PHP/8.3.1
cache-control: no-cache, no-store, private
Expected Behavior
Base a security recommendation this header nee to be removed
Steps To Reproduce
~ curl --head https://bookstack.site.com
**x-powered-by: PHP/8.3.10**Environment
- Run on Amawon ECS
- How docker service was installed: terrafom deploy container definitionCPU architecture
x86-64
Docker creation
we use `lscr.io/linuxserver/bookstack:24.05.4` without modificationsContainer logs
no anomaliesThanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
A human has marked this issue as invalid, this likely happened because the issue template was not used in the creation of the issue.
While this bug report is not properly filled, you are free to edit the nginx configuration to see fit, it is stored in persistent storage.
yes, I could do that.
But I think it should already be in the registry image.
It's a case of security.
While the security aspect is present, we purposely follow the default config provided by Alpine https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.20-stable, which again builds on the default Nginx config.
If this image was built to be directly exposed to the internet, it would have a hardened default, but as with any of our nginx based image (excluding SWAG), this is not built to be directly exposed to the internet, but rather be behind a reverse proxy(in which you can strip both the server and x-powered-by header).
Shipping this change by default is out of scope of this image.