I'm +1 on cleaning that up as well. I wouldn't think someone would base client behavior on a comment in an error message - too brittle.
On Wed, Jan 25, 2023 at 9:55 AM Nash, Edward <[email protected]> wrote: > I'd be +1 on sending as little information about the server as possible > (aka "secure") by default. > > Whatever the technical merits, this one always comes up on security > checklists, and anything that makes it harder to forget to set everything > up correctly is fine by me - assuming the documentation of how to get the > version details for debugging is clear and easy to find (as an FAQ, or > maybe in a new "Troubleshooting" section in the docs?). > > Best regards, > > Ed > > -----Ursprüngliche Nachricht----- > Von: MapServer-dev <[email protected]> Im Auftrag von > Seth G > Gesendet: Mittwoch, 25. Januar 2023 16:13 > An: MapServer Devs <[email protected]> > Betreff: [MapServer-dev] MapServer version information in error messages > > Hi all, > > Does anyone have any thoughts about removing MapServer version information > from any errors/responses sent to client applications? > > A few relevant online discussions [1] [2]. As MapServer falls more in the > generic server category I'd be +1 on removing the details from responses > (and leaving them in the client applications). > > See https://github.com/MapServer/MapServer/pull/6794 for some more > details. I added in Proj and GDAL versions which are handy for > admins/debugging, but provide more information to a malevolent party > looking to attack a MapServer instance. > > Seth > > [1] > https://softwareengineering.stackexchange.com/questions/345072/is-my-app-version-a-sensitive-information > [2] > https://security.stackexchange.com/questions/170352/is-it-safe-to-display-version-information-on-a-public-webpage-of-your-web-app > > -- > web:https://geographika.net > twitter: @geographika > _______________________________________________ > MapServer-dev mailing list > [email protected] > https://lists.osgeo.org/mailman/listinfo/mapserver-dev > _______________________________________________ > MapServer-dev mailing list > [email protected] > https://lists.osgeo.org/mailman/listinfo/mapserver-dev >
_______________________________________________ MapServer-dev mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/mapserver-dev
