Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to suppress server response headers? #38

Closed
MarcusRiemer opened this issue Nov 21, 2018 · 2 comments
Closed

Option to suppress server response headers? #38

MarcusRiemer opened this issue Nov 21, 2018 · 2 comments

Comments

@MarcusRiemer
Copy link

MarcusRiemer commented Nov 21, 2018
edited

Currently the server seems to answer every request with the exact version of falcon that served the request: server: falcon/0.19.5. I do get that you guys are (rightfully!) proud of your work, but I would strongly prefer to not advertise that my application uses a specific version of your product. At the very least I see no reason to make things easier for automated malware frameworks in case of possible security issues. Maybe you could at least add an option to suppress the exact version?
@ioquatix
Copy link
Member

The reason for that header is according to the RFC.

That being said, we could certainly have an option to skip it or maybe remove it entirely. Honestly, it doesn't add very much and you are right it's a vector for fingerprinting.

@ioquatix
Copy link
Member

Just FYI, here is where it's implemented.

falcon/lib/falcon/adapters/response.rb

Lines 50 to 51 in 63984f9

headers.add('server', "falcon/#{Falcon::VERSION}")
headers.add('date', Time.now.httpdate)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ioquatix @MarcusRiemer