I'd be +1 on sending as little information about the server as possible (aka "secure") by default.
Whatever the technical merits, this one always comes up on security checklists, and anything that makes it harder to forget to set everything up correctly is fine by me - assuming the documentation of how to get the version details for debugging is clear and easy to find (as an FAQ, or maybe in a new "Troubleshooting" section in the docs?). Best regards, Ed -----Ursprüngliche Nachricht----- Von: MapServer-dev <[email protected]> Im Auftrag von Seth G Gesendet: Mittwoch, 25. Januar 2023 16:13 An: MapServer Devs <[email protected]> Betreff: [MapServer-dev] MapServer version information in error messages Hi all, Does anyone have any thoughts about removing MapServer version information from any errors/responses sent to client applications? A few relevant online discussions [1] [2]. As MapServer falls more in the generic server category I'd be +1 on removing the details from responses (and leaving them in the client applications). See https://github.com/MapServer/MapServer/pull/6794 for some more details. I added in Proj and GDAL versions which are handy for admins/debugging, but provide more information to a malevolent party looking to attack a MapServer instance. Seth [1] https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information [2] https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app -- web:https://geographika.net twitter: @geographika _______________________________________________ MapServer-dev mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-dev _______________________________________________ MapServer-dev mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-dev
