Hi Sven, when running a Zinc Server
ZnServer startDefaultOn: 8080.
the server currently reveals the framework, the framework version and the Pharo
version
the server is running on as part of the HTTP communication.
For instance
(ZnEasy get: 'http://localhost:8080') headers at: 'Server'
would give
Zinc HTTP Components 1.0 (Pharo/7.0)
in the Server Header.
While this is nice for debugging and during development this can be a problem
in more
secured/pentested environments where usually specific headers are turned off to
not
give specific informations to an attacker (to allow him to find vulnerabilities
of specific
versions or servers).
While headers could be changed rewritten in front-ends or load balancing
servers we
can not assume that Pharo images work as backend server always. Webservers like
Nginx,
Apache, IIS, Express in JS, PHP and other allow to disable/modify these
headers.
Using the attached changeset it is possible to modify the Server header and
customize it:
ZnHeaders serverString: 'MoreSecureServer'
If the server string is not customized the default server string is used as
before.
We should make sure this is integrated into Pharo 7 but also into the Zinc
framework.
I opened a bug
https://pharo.fogbugz.com/f/cases/22317/ZnHeaders-should-allow-custom-or-empty-Server-info
As Zinc is also managed externally how should we proceed?
Thx
T.
ZincCustomServerName.1.cs
Description: Binary data
