Bram Bogaert created WICKET-7004:
------------------------------------
Summary: Jetty config example contains security hazard
Key: WICKET-7004
URL: https://issues.apache.org/jira/browse/WICKET-7004
Project: Wicket
Issue Type: Improvement
Components: wicket-quickstart
Affects Versions: 9.12.0
Reporter: Bram Bogaert
Inside
{{/wicket-archetype-quickstart/src/main/resources/archetype-resources/src/test/jetty/jetty.xml}}
following setting can be found:
{code:xml}
<Set name="sendServerVersion">true</Set>
{code}
This results in each http response having a header like:
{{Server : Jetty(9.4.46.v20220331)}}
While none of this is a problem in itself (it is a test resource), it shouldn't
be useful for tests and can be an example that could result in a security
hazard. If one would copy this configuration for a Jetty production server, too
much information would become readily accessible for people with bad intentions
(reveals the server software + version number).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
