[ https://issues.apache.org/jira/browse/NIFI-7962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17235556#comment-17235556 ]
David Handermann commented on NIFI-7962: ---------------------------------------- Is this still a problem when the *nifi.web.should.send.server.version* property is set to false? The Jetty HttpConfiguration.writePoweredBy method appears to honor the send server version property. > NiFi should not respond with HTTP 500 errors for HTTP TRACK request > ------------------------------------------------------------------- > > Key: NIFI-7962 > URL: https://issues.apache.org/jira/browse/NIFI-7962 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.12.1 > Reporter: Andy LoPresto > Priority: Trivial > Labels: http, jetty, security > > The HTTP {{TRACK}} method was not specified in RFC 2068 [1] for HTTP 1.1 but > is now available on some clients. NiFi currently responds to these requests > with a 500 Internal Server Error page which reveals the version of the > servlet API being used but does not contain any sensitive information. As > NiFi is an open source project, the servlet API version would already be > readily available to an attacker. > The error page should be generic to obscure the servlet API version. > [1] https://tools.ietf.org/html/rfc2068 -- This message was sent by Atlassian Jira (v8.3.4#803005)