Information Disclosure in HTTP response header

cancel
Showing results for 
Search instead for 
Did you mean: 
leochan168
Member II

Information Disclosure in HTTP response header

A response header is an HTTP header that can be used in an HTTP response and that doesn't relate to the content of the message. Response headers, like Age, Location or Server are used to give a more detailed context of the response.

Penetration tester found that there is sensitive information related to the server version in the HTTP response header and the version of the web application framework used.

 

Exposing details of the server version and web application technology can increase the likelihood of attackers efficiently exploiting servers with known knowledge.

1 Reply
angelborroy
Alfresco Employee

Re: Information Disclosure in HTTP response header

There are different actions that may be taken to patch this vulnerability. Since Alfresco is installed behind a HTTP Web Proxy (NGINX by default), following configuration will avoid to expose unwanted information in HTTP responses:

https://medium.com/@getpagespeed/how-to-remove-the-server-header-in-nginx-e74c7b431b

Hyland Developer Evangelist