[BUG] Server-Timing header being reported as Server Banner

Question

[BUG] Server-Timing header being reported as Server Banner

Closed this issue 5 months ago · 3 comments

I am running version: testssl.sh version 3.2.0 from https://testssl.sh/ (just pulled latest version)

Command line / docker command to reproduce

testssl.sh glueware.co.nz

Expected behavior

I would expect the Server-Banner response to be empty as this is not being returned by the website. However, the Server Banner is displaying the Server-Timing header results.

Server banner Server-Timing: cache;desc=hit, varnish;desc=hit, dc;desc=blahblah

Your system (please complete the following information):

OS: Kali GNU/Linux Rolling
Platform: Linux 6.12.20-amd64 x86_64
OpenSSL + bash:

  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~183 ciphers]
  Using bash 5.2.37

Additional context

Not sure that there is anything else to add.

Answer 1 · 2025-06-10T11:20:09.000Z

use this line " http-response del-header Server "
inside the haproxy server

Answer 2 · 2025-06-10T12:22:34.000Z

I don’t think this is relevant. It is a test against a server where I don’t control the infrastructure. There is no server-banner yet testssl.sh is saying that the server-timing header is the server-banner.

Answer 3 · 2025-06-10T19:03:53.000Z

Thanks for filing the issue! The parser for the server header isn't quite correct

Will be fixed next occasion.