-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify "server" header #143
Comments
We're already setting the ServerTokens to Prod. This is the right directive to set the response header. If we want to override the server response header sent by the backend with the server header
|
I think I'd rather add three new environment variables |
Good suggestion, thank you! |
Any news on this? |
I have a PR ready, but I'm not able to build the container locally to test it. |
@franbuehler Any news on this one? Was this solved by #151? |
I think this issue should have been fixed with #151. Not sure if something's still missing though. |
Almost done ;-) |
Ping @franbuehler ... |
For nginx, I've been able to build additional modules using a Dockerfile such as this to get rid of the Server header. It's based on the modsecurity-crs-docker image, and builds the module using the same version of nginx so that you don't run into problems with different versions that you can get if you try to install the modules using apk. This example is using ngx_security_headers, but I've also tried headers-more and it works just as well. ARG MODSECURITY_TAG="3.3-nginx-alpine-202312070812"
FROM owasp/modsecurity-crs:${MODSECURITY_TAG} as build
ARG SECURITY_HEADERS_VERSION="0.1.0"
RUN apk add --no-cache alpine-sdk pcre-dev pcre2-dev
RUN wget http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz
RUN tar -xzvf nginx-${NGINX_VERSION}.tar.gz
RUN wget https://github.com/GetPageSpeed/ngx_security_headers/archive/refs/tags/${SECURITY_HEADERS_VERSION}.tar.gz
RUN tar -xzvf ${SECURITY_HEADERS_VERSION}.tar.gz
RUN cd nginx-${NGINX_VERSION}; \
./configure --with-compat \
--add-dynamic-module=../ngx_security_headers-${SECURITY_HEADERS_VERSION}; \
make modules; \
cp objs/ngx_http_security_headers_module.so /etc/nginx/modules/;
FROM owasp/modsecurity-crs:${MODSECURITY_TAG}
COPY --from=build /etc/nginx/modules/ngx_http_security_headers_module.so /etc/nginx/modules/ngx_http_security_headers_module.so You will also have to update your nginx config to load the module and configure it. |
Awesome @audunru! Do you want to push a PR that might help fixing this one? |
ping @franbuehler @audunru |
Still on my table. I want to start working on this! |
Hey @franbuehler. Do you have time to work on this, do we close, what's next? |
It is possible to use SecServerSignature/ServerSignature to modify the server header to not give potential attackers extra info?
The text was updated successfully, but these errors were encountered: