New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide server tokens #414

Open
jonhadfield opened this Issue Jan 4, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@jonhadfield
Copy link

jonhadfield commented Jan 4, 2019

Both app and sync.standardnotes.org reveal software versions in the http response server headers
app: nginx/1.10.3 + Phusion Passenger 5.1.4
sync: nginx/1.10.3

Including this configuration (see here) is recommended to avoid revealing versions:
server_tokens off;

@mobitar

This comment has been minimized.

Copy link
Member

mobitar commented Jan 6, 2019

Good point. Do you see any other rationale besides the fact that a would-be attacker can determine what vulnerabilities your server has based on your nginx version?

I've made this update to our Listed server as a preliminary test to make sure it doesn't throw anything off. Will update main servers after that.

@jonhadfield

This comment has been minimized.

Copy link

jonhadfield commented Jan 6, 2019

It's mainly to reduce information leakage for the reason you suggested.

Depending on how you read the advice from Apache httpd docs: https://httpd.apache.org/docs/current/mod/core.html#servertokens, it may seem ineffective or even a bad idea!? I strongly disagree with their statement regarding security regarding tokens on that page, as would Qualys, OWASP, and plenty of other security auditing software.

Regardless, if you don't need it for your own debugging purposes then I don't see the benefit of sending extra, redundant, bytes in every response.

@mobitar

This comment has been minimized.

Copy link
Member

mobitar commented Jan 7, 2019

Interesting (and very direct) note by Apache. Will have to consider this one more.

@jonhadfield

This comment has been minimized.

Copy link

jonhadfield commented Jan 7, 2019

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems.

Could also be read as "if you're not trying to debug, then it doesn't hurt to."

"Also note that disabling the Server: header does nothing at all to make your server more secure."

That's true in the sense that hiding tokens does not itself prevent someone exploiting a vulnerability. It definitely does make it more difficult for an attacker to determine the version and that may assist them in finding a vulnerability to exploit.

The idea of "security through obscurity" is a myth and leads to a false sense of safety.

I'd argue that's a truism. At the same time though, I'm not sure anyone would say revealing more information about your system than necessary is good security.

Just my $0.02.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment