[jira] [Created] (JAMES-3616) WebAdmin: hide Jetty version

Benoit Tellier (Jira) Wed, 21 Jul 2021 21:09:09 -0700

Benoit Tellier created JAMES-3616:
-------------------------------------

             Summary: WebAdmin: hide Jetty version
                 Key: JAMES-3616
                 URL: https://issues.apache.org/jira/browse/JAMES-3616
             Project: James Server
          Issue Type: Improvement
          Components: webadmin
            Reporter: Benoit Tellier



The JETTY version is advertized:


{code:java}
root@james-jmap-bf57d6d59-4rnfb:/# curl --head 
'http://127.0.0.1:8000/users/[email protected]'
HTTP/1.1 401 Unauthorized
Date: Thu, 22 Jul 2021 04:02:25 GMT
Access-Control-Allow-Origin: *
Access-Control-Request-Method: DELETE, GET, POST, PUT
Access-Control-Allow-Headers: Content-Type, Authorization, Accept
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.4.31.v20200723)
{code}

This avoids scans that could map to known CVE.

We likely should consider hiding the Server field...

Cf 
https://stackoverflow.com/questions/56641783/how-to-remove-server-versionserver-jetty9-2-z-snapshot-from-spark-web-ui





--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (JAMES-3616) WebAdmin: hide Jetty version

Reply via email to