New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X-Application-Context HTTP response header exposes internal server port #1308
Comments
There isn't currently a simple way to disable that header, but we can certainly add an option. In the meantime it appears that the header is actually exposing the Something like:
Should do the trick. |
Thanks Phil for your answer, unfortunately the setId() comes too late because the init is done by the run(). |
Apps in cloudfoundry don't have the port in the application context id, so it must be possible to change this behaviour if you need to. That works by just registering a listener that sets the context id. Just out of interest: what exactly is the security issue (i.e. what could a bad guy do with the port information that he couldn't do without it)? |
Being a good guy, I don't know ;) but I think the less information leaks is the best anyway. |
I worked for customers being paranoid about leaking anything about the environment (that its running on Tomcat, internal ports etc.). But this is a perfect task to let the reverse proxy handle - by having it removing those headers. |
It isn't cloudfoundry that changes the header, it's the |
Looking at the source code for |
Add `management.add-application-context-header` option to disable the automatic adding of the `X-Application-Context` HTTP header. Fixed gh-1308
Setting spring.application.name and spring.application.index in application.yml is a good solution. |
Also, |
Using spring-boot 1.1.4.
Spring-boot-actuator's EndpointWebMvcAutoConfiguration.ApplicationContextFilterConfiguration registers a Filter that adds a response header X-Application-Context that contains the application id but it does not remove it and so the browser gets it.
By default, the application id is something like this "application:int:8080" which is a concatenation of the "application" (?), profile and server port.
In the scenario where the application is behind a reverse proxy, I find it a bit unsafe to expose the internal port number even though it should be not accessible from the external world.
Is there a way to disable this behavior without breaking actuator?
The text was updated successfully, but these errors were encountered: