Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove gunicorn server header from responses #2640

Merged
merged 1 commit into from
Oct 24, 2019

Commits on Oct 23, 2019

  1. remove gunicorn server header from responses

    All our requests identify the web server they were served with via the
    `server` response header. This opens us up to potential attackers who
    might be crawling the internet looking for specific versions with known
    vulnerabilities. As our dependencies are open source, this doesn't
    affect any targeted attacks as they can just look at our repos on
    github, but this theoretically will marginally improve security.
    
    Regardless, the header isn't useful [1], we're not the first people to
    want to get rid of it, and gunicorn are in the process of at least
    amending it to remove the version information [2].
    
    This shouldn't have any impact on us, though an empty string will be
    passed through to debug information in event of a crash. That's fine
    though, as we already know what version we're running.
    
    [1] https://www.fastly.com/blog/headers-we-dont-want
    [2] benoitc/gunicorn#825
    leohemsted committed Oct 23, 2019
    Configuration menu
    Copy the full SHA
    acb5e9f View commit details
    Browse the repository at this point in the history