Skip to content
This repository

clear yaws version info away from http header #86

Closed
ai-quantong opened this Issue · 6 comments

3 participants

ai-quantong Steve Vinoski Claes Wikstrom
ai-quantong

Hello!

I am web-project developer. Recently I am working for the project using yaws as the http server for a bank!

According to security, my customer hope that wo would clear yaws version info away from http header. Sometimes the leak of the info like it can make the system vulnerable to attack. The same as ohter web server(tomcat,weblogic), Yaws should supply some fields to control it in the profile.However, I spend almost one day to find in the profile、instruction even code of Yaws. Unfortunately,I got nothing!

Do I still need to find the fields? Do The Yaws provides the fields?

Thanks!!

ai-quantong

Hi
I know ! Yaws 1.92 can support the fields in the profile. Now, I am busy to update yaws from version 1.88 to version 1.92!

Steve Vinoski
Collaborator

Correct. If you set the server_signature global configuration variable, you can control what is returned in the "Server" HTTP response header.

Steve Vinoski
Collaborator

A commit yesterday also added the ability to set server_signature on a per-virtual-server level as well as at the global level.

ai-quantong

Thanks!
As you say, wo can pass the problem like this. But for Yaws-1.88, I had to change the code (yaws_generated.complete),then configure && make again! However I knwow whether this can cause some side effect!

Steve Vinoski
Collaborator

For Yaws 1.88, I recommend just changing the code in src/yaws.erl around line 1364. The code there looks like this:

    ["Server: Yaws/", yaws_generated:version(), " Yet Another Web Server\r\n" |

Change that to:

    ["Server: Yaws (Yet Another Web Server)\r\n" |

or something equally as suitable.

Claes Wikstrom
Owner
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.