search

OrchardCMS / Orchard

Orchard is a free, open source, community-focused Content Management System built on the ASP.NET MVC platform.
https://orchardproject.net
BSD 3-Clause "New" or "Revised" License
2.38k stars 1.12k forks source link

Information Discovery #7989

Open MatteoPiovanelli-Laser opened 6 years ago

MatteoPiovanelli-Laser commented 6 years ago

Every time we have a security scan ran on our Orchard tenants, we get flagged with warnings related to information discovery. While the risk with those "vulnerabilities" is debatable, I propose a fix to quickly remove some of them.

Header Solution
Server Can be removed by changing global.asax
X-AspNet-Version Can be removed by changing web.config
X-AspNetMvc-Version Can be removed by changing global.asax
X-Generator Can be removed by changing Orchard.Framework/Owin/Startup.cs
X-Powered-By Requires a fix from IIS (*)

I will create a PR momentarily with the changes to remove the first four headers, but let me know whether this is desired by the community. Also, let me know how everyone else is handling this bit.

(*) I played around with trying to remove it from code in the same ways I am taking care of the other headers, but to no avail.

sebastienros commented 6 years ago

I want to keep the Orchard one, it pays my salary.

MatteoPiovanelli-Laser commented 6 years ago

That is fair.

carlwoodhouse commented 6 years ago

+1 as it means we can remove some stuff from our transforms ;)