Closed CrowdHailer closed 6 years ago
Server: Microsoft-IIS/8.5 The web server discloses its version. This may allow attackers to use known vulnerabilities and conduct further attacks against it.
Isn't this seen as a bad practice?
Also, we could consider a secure_defaults
middleware that more or less sets recommended headers for secure websites see https://www.htbridge.com/websec/
ok so maybe just no server header. cowboy and most other servers I have used still seam to add it though?
cowboy and most other servers I have used still seam to add it though
True. But does it offer any real value?
@CharlesOkwuagwu I think you raise good points on this. I'm going to close without addressing this. Also it is easy enough for a user to use Raxx.set_header("server", "whatever")
if they want.
If you have a time adding an entry to the FAQ about why no server header would be appreciated.
Before I add this to the FAQ, i'm concerned about one small thing...
The server-name is ACE (similar to other servers: cowboy, IIS, Apache, nginx, etc) so why are we documenting it in Raxx
FAQ? is it not out of place?
That's a good point. I think it does better belong as a note in the Ace project somewhere. :100:
server header should only be added if not already set by the application
QUESTION: Should the application ever get to set this. is this by definition something that the server implementation (e.g cowboy ace) should take care of. For what reason would the application overwrite it.
NOTE: This is nothing more than a default header and so could be simply