Ability to mask the http response header Server attribute #825
Comments
|
Typically gunicorn is deployed behind a reverse proxy server like nginx in production environment, and nginx would output its own |
|
upstair plus one |
|
with @benoitc we can propose an option on the command line, what do you think? otherwise, we will close this ticket as explained by @georgexsh , in production mode, you can use a reverse proxy (nginx, apache, ...). |
|
Couldn't one just modify the environ in a |
|
@tilgovi that would work I guess... not sure then if we need to create another option... |
|
Doesn't work. The request is sent already at that point. |
|
@tilgovi middleware wont work too, because |
|
What if we just remove the Server header altogether? |
|
+1 If we allow you to set the header's value to a random string, we should also allow you to remove the header completely. |
|
+1 |
|
why do you want to remove the header? |
|
In the past, I've removed the header from deployments to hide the server software and version so that it doesn't get picked up by someone crawling for servers with a known exploit. |
|
Yup. Security is one of the reasons. Of course, you can change the |
|
I took the liberty to make a PR for this feature: #1384 . It has been on my wanted list for some time. To add to the discussion: I would argue that while some reverse proxy servers modify the |
|
Unfortunately, @mathiasverhoeven closed his PR for some reason and hasn't had activity lately. Would it be impossible to have more generic option here, as in At the moment, I would like to adjust I can throw something together based on @mathiasverhoeven's PR. @benoitc and @tilgovi what do you think? |
|
Just going to leave this here: https://www.fastly.com/blog/headers-we-dont-want. As you can read in the article, the |
|
I would also like to be able to omit the Server header. I use a security-focused webserver called Hiawatha to reverse proxy, set not to add a Server header of its own, so gunicorn's Server header is currently making it to clients. @tuukkamustonen's idea sounds good to me. :) Edit: just seen #1617. |
|
Anyone running Flask? https://stackoverflow.com/a/46858238/452210 suggests wrapping and overriding |
|
Yes please at least remove version. Version adds nothing to fame and saves a lot of time for attackers. |
|
I am thinking to just remove the version. @tilgovi any thoughts on it? |
|
Fine for me! |
All our requests identify the web server they were served with via the `server` response header. This opens us up to potential attackers who might be crawling the internet looking for specific versions with known vulnerabilities. As our dependencies are open source, this doesn't affect any targeted attacks as they can just look at our repos on github, but this theoretically will marginally improve security. Regardless, the header isn't useful [1], we're not the first people to want to get rid of it, and gunicorn are in the process of at least amending it to remove the version information [2]. This shouldn't have any impact on us, though an empty string will be passed through to debug information in event of a crash. That's fine though, as we already know what version we're running. [1] https://www.fastly.com/blog/headers-we-dont-want [2] benoitc/gunicorn#825
All our requests identify the web server they were served with via the `server` response header. This opens us up to potential attackers who might be crawling the internet looking for specific versions with known vulnerabilities. As our dependencies are open source, this doesn't affect any targeted attacks as they can just look at our repos on github, but this theoretically will marginally improve security. Regardless, the header isn't useful [1], we're not the first people to want to get rid of it, and gunicorn are in the process of at least amending it to remove the version information [2]. This shouldn't have any impact on us, though an empty string will be passed through to debug information in event of a crash. That's fine though, as we already know what version we're running. [1] https://www.fastly.com/blog/headers-we-dont-want [2] benoitc/gunicorn#825
|
Any progress on this one? This seems like a quick win for security. |
|
that will be part of the next 20.1 |
benoitc
added
Improvement
To Schedule
To DO
and removed
Feedback Requested
To Schedule
labels
Is the configuration file-only setting to remove the Server header altogether still planned? |
|
@DavidOliver why the question? |
|
@benoitc Your comment which I quoted could be interpreted to mean that it's "just"/only the version number which will be removed, whereas earlier in the conversation the setting to remove the Server header altogether (which I'd like to do) was being considered. Thanks. |
|
If we can just remove the server header altogether, we should do it. |
|
I still have to be convinced that removing it has something to do with the
security. It has not been an issue in the last 10 years. Security by
obscurity doesn't help also, I would prefer to know we have an issue and
fix it. Also knowing the server can help the operations
I'm inclined to remove the version at the moment as this version is giving
too much information on how the server is maintained. We should do it for
each branch we maintained.
Thoughts?
Benoît
On Sun 29 Dec 2019 at 04:23 Randall Leeds ***@***.***> wrote:
If we can just remove the server header altogether, we should do it.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#825?email_source=notifications&email_token=AAADRIQBGN2KQRKOKLAYK43Q3AJ2PA5CNFSM4ASCOWF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHYW27Q#issuecomment-569470334>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAADRISEUFGD43CKXLV3EZTQ3AJ2PANCNFSM4ASCOWFQ>
.
--
Sent from my Mobile
|
|
Hi, I'm using gunicorn to serve responses over a connection where data The Server header is small, but small things add up, and sometimes On a fresh HTTPS connection, the handshake and certificate This might also matter for people who care more about client For this use case, the most useful option is to be able to |
|
This comment is mostly limited to adding relevant reference/spec/RFC information, and (hopefully) mostly unopinionated interpretation/commentary. RFC7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content https://tools.ietf.org/html/rfc7231#section-7.4.2
https://tools.ietf.org/html/rfc7231#section-9.6
From (deprecated) RFC2616:
PEP3333 Python Web Server Gateway Interface v1.0.1 https://www.python.org/dev/peps/pep-3333/#the-start-response-callable
|
|
Plenty of opinion on this, such as in Apache HTTPD
|
|
Changing the server header to just say People like @kmichel-sereema, who want to optimize the size of every transfer, I think this is not the place to perform such micro-optimization. If the HTTP headers are too much overhead, HTTP 1.x is the not the ideal protocol to use, and I don't think we should add additional configuration to allow changing or disabling the server header. |
|
The suggestion of @tilgovi seems like a good compromise to me. In many environments this may even be moot. The gunicorn deployment documents recommend having a proxy server like nginx in front of gunicorn. nginx automatically strips the Server response header from the proxied server before it goes to the client, and can be configured to strip more headers. Surely more security-focused proxies can do the same. |
Right now, all responses have the http header
server: gunicorn/19.0.0
For security reasons, I would like to be able to mask that so that people won't know to search for security vulnerabilities in gunicorn. Is there any way to mask it? via a setting perhaps?
The text was updated successfully, but these errors were encountered: