[ https://issues.apache.org/jira/browse/DRILL-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Volodymyr Vysotskyi updated DRILL-7367: --------------------------------------- Labels: ready-to-commit (was: ) > Remove Server details from response headers > ------------------------------------------- > > Key: DRILL-7367 > URL: https://issues.apache.org/jira/browse/DRILL-7367 > Project: Apache Drill > Issue Type: Bug > Affects Versions: 1.16.0 > Reporter: Arina Ielchiieva > Assignee: Arina Ielchiieva > Priority: Major > Labels: ready-to-commit > Fix For: 1.17.0 > > > Drill response headers include Server information which is considered to be a > vulnerability. > {noformat} > curl http://localhost:8047/cluster.json -v -k > * Trying ::1... > * TCP_NODELAY set > * Connected to localhost (::1) port 8047 (#0) > > GET /cluster.json HTTP/1.1 > > Host: localhost:8047 > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Thu, 05 Sep 2019 12:47:53 GMT > < Content-Type: application/json > < Content-Length: 436 > < Server: Jetty(9.3.25.v20180904) > ... > {noformat} > https://pentest-tools.com/blog/essential-http-security-headers/ > After the fix headers should be without server information: > {noformat} > curl http://localhost:8047/cluster.json -v -k > * Trying ::1... > * TCP_NODELAY set > * Connected to localhost (::1) port 8047 (#0) > > GET /cluster.json HTTP/1.1 > > Host: localhost:8047 > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Thu, 05 Sep 2019 13:55:25 GMT > < Content-Type: application/json > < Content-Length: 436 > ... > {noformat} -- This message was sent by Atlassian Jira (v8.3.2#803003)