Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

clear yaws version info away from http header #86

Closed
ai-quantong opened this Issue Feb 2, 2012 · 6 comments

Comments

Projects
None yet
3 participants

Hello!

I am web-project developer. Recently I am working for the project using yaws as the http server for a bank!

According to security, my customer hope that wo would clear yaws version info away from http header. Sometimes the leak of the info like it can make the system vulnerable to attack. The same as ohter web server(tomcat,weblogic), Yaws should supply some fields to control it in the profile.However, I spend almost one day to find in the profile、instruction even code of Yaws. Unfortunately,I got nothing!

Do I still need to find the fields? Do The Yaws provides the fields?

Thanks!!

Hi
I know ! Yaws 1.92 can support the fields in the profile. Now, I am busy to update yaws from version 1.88 to version 1.92!

Collaborator

vinoski commented Feb 2, 2012

Correct. If you set the server_signature global configuration variable, you can control what is returned in the "Server" HTTP response header.

Collaborator

vinoski commented Feb 3, 2012

A commit yesterday also added the ability to set server_signature on a per-virtual-server level as well as at the global level.

Thanks!
As you say, wo can pass the problem like this. But for Yaws-1.88, I had to change the code (yaws_generated.complete),then configure && make again! However I knwow whether this can cause some side effect!

Collaborator

vinoski commented Feb 6, 2012

For Yaws 1.88, I recommend just changing the code in src/yaws.erl around line 1364. The code there looks like this:

    ["Server: Yaws/", yaws_generated:version(), " Yet Another Web Server\r\n" |

Change that to:

    ["Server: Yaws (Yet Another Web Server)\r\n" |

or something equally as suitable.

Owner

klacke commented Feb 8, 2012

On 02/02/2012 07:56 AM, ai-quantong wrote:

Hello!

I am web-project developer. Recently I am working for the project using yaws as the http server for a bank!

According to security, my customer hope that wo would clear yaws version info away from http header. Sometimes the leak of the info like it can make the system vulnerable to attack. The same as ohter web server(tomcat,weblogic), Yaws should supply some fields to control it in the profile.However, I spend almost one day to find in the profile、instruction even code of Yaws. Unfortunately,I got nothing!

Do I still need to find the fields? Do The Yaws provides the fields?

If you need to do this, which I dislike btw, you need to fork from github, and
patch the code. Easy and straighforward.

-klacke

@ai-quantong ai-quantong closed this Mar 9, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment