[
https://issues.apache.org/jira/browse/DRILL-7367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volodymyr Vysotskyi updated DRILL-7367:
---------------------------------------
Labels: ready-to-commit (was: )
> Remove Server details from response headers
> -------------------------------------------
>
> Key: DRILL-7367
> URL: https://issues.apache.org/jira/browse/DRILL-7367
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.16.0
> Reporter: Arina Ielchiieva
> Assignee: Arina Ielchiieva
> Priority: Major
> Labels: ready-to-commit
> Fix For: 1.17.0
>
>
> Drill response headers include Server information which is considered to be a
> vulnerability.
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> * Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 12:47:53 GMT
> < Content-Type: application/json
> < Content-Length: 436
> < Server: Jetty(9.3.25.v20180904)
> ...
> {noformat}
> https://pentest-tools.com/blog/essential-http-security-headers/
> After the fix headers should be without server information:
> {noformat}
> curl http://localhost:8047/cluster.json -v -k
> * Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8047 (#0)
> > GET /cluster.json HTTP/1.1
> > Host: localhost:8047
> > User-Agent: curl/7.54.0
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Date: Thu, 05 Sep 2019 13:55:25 GMT
> < Content-Type: application/json
> < Content-Length: 436
> ...
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
