-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server tokens #596
Server tokens #596
Conversation
There are some deployment environments that consider leaking the software type and/or version to be a security risk. Config.pod mentions that you can set "server_tokens" to false to disable the "Server" header, or use the environment variable DANCER_SERVER_TOKENS to do the same. These are added by this commit.
👍 Great job! |
👍 |
Thanks guys. I've found the build problem, will add a commit to treat that soon. |
There are some deployment environments that consider leaking the software type and/or version to be a security risk. Config.pod mentions that you can set "server_tokens" to false to disable the "Server" header, or use the environment variable DANCER_SERVER_TOKENS to do the same. These are added by this commit.
@veryrusty Good point. I agree. |
Core::Runner only holds configuration for what are effictively "global" options (it is a singleton). This includes 'environment', and the 'server_tokens' & 'startup_info' (taken from #596). Note that the Runners' environment may not be changed once singleton exists. Per application config options previously in the Runner's default config were moved into Core::App.
Core::Runner only holds configuration for what are effictively "global" options (it is a singleton). This includes 'environment', and the 'server_tokens' & 'startup_info' (taken from #596). Note that the Runners' environment may not be changed once singleton exists. Per application config options previously in the Runner's default config were moved into Core::App.
Recent commits from @veryrusty add support for this, but it should be tested and revised according to most recent master branch. |
Hmmm.. my commits only made We either need the logic @omar-m-othman added to Core::Runner in 8ebbe65 to disable the Server header, or move the addition of the Server header be within |
Merged! :) |
[ BUG FIXES ] * GH #744: Serialize anything, not just references. (Sawyer X) * GH #744: Serialize regardless of content_type of serializer. (Sawyer X) * GH #764: Catch template render errors. (Russell Jenkins, Steven Humphrey) * Calling uri_for(undef) doesn't crash. (Sawyer X) * GH #732: Correct name for 403 (Forbidden, not Unauthorized). (Theo van Hoesel, Sawyer X, Mickey Nasriachi, Omar M. Othman) * GH #753: Syntax of parameterized types. (Russell Jenkins) * GH #734: Failing tests on Windows. (Russell Jenkins, Sawyer X) [ ENHANCEMENTS ] * GH #664, #684, #715: Handler::File replaced for static files with Plack::Middleware::Static, allowing files to be served *before* routes. This means hooks do not apply to static files anymore! (Russell Jenkins, DavsX) * Engines now have "logger" attribute to log errors. It sends the Dancer2::Logger:: object, if one exists. (Sawyer X) * Serializers do not need to implement "loaded" method. (Sawyer X) * GH #733: In core: response_xxx removed in favor of generic standard_response. (Sawyer X, Mickey Nasriachi, Omar M. Othman) * GH #514, #642, #729: Allow mixing named params, splat, and megasplat. (Russell Jenkins, Johan Spade, Dávid Kovács) * GH #596: no_server_tokens works, as well as DANCER_NO_SERVER_TOKENS. (Omar M. Othman, Sawyer X, Mickey Nasriachi) * GH #639: Validate engine types in configuration. (Sawyer X, Omar M. Othman, Mickey Nasriachi, Russell Jenkins) * GH #663, #741: Remove "accept_type" attribute and other references. (Mickey Nasriachi, Theo van Hoesel) * GH #748: Provide forwarded_host, forwarded_protocol. (Sawyer X) * GH #748: Do not provide a default env, require env for a request. (Sawyer X) * GH #742: Update test skeleton to use to_app. (Dávid Kovács) * GH #636: Use Plack::Test in more tests. (Dávid Kovács) [ DOCUMENTATION ] * GH #656: Dancer2::Manual::Testing as a guide for testing Dancer2 applications. (Sawyer X) * Improved documentation of route matching. (Russell Jenkins) * Migration document update relating to enhancements. (Sawyer X, Mickey Nasriachi) * GH #731: Document changes in session. (racke, Sawyer X, Mickey Nasriachi, Omar M. Othman) * Document "id" attribute in Request object. (Sawyer X) * Correct Cookbook examples on command line scripts. (Sawyer X)
No description provided.