marci4
commented
1 year ago Feel free to open a PR with a option to disable this
Open willtemperley opened 1 year ago
marci4
commented
1 year ago Feel free to open a PR with a option to disable this
PhilipRoman
commented
1 year ago I don't think there is need to change anything - it is a common practice to report the server implementation and all http servers I know do it. You can pick any site, and do curl -D - -o /dev/null https://example.com | grep -i server and see the server implementation. Apache even reports details like OpenSSL version so I don't see the issue here.
willtemperley
commented
1 year ago @PhilipRoman The issue is that it isn't necessary to expose the implementation. and if any vulnerabilities exists it makes them easier to exploit. Using your command, I can't find an important website that discloses the server implementation.
"While exposed server information is not necessarily in itself a vulnerability, it is information that can assist attackers in exploiting other vulnerabilities that may exist."
Upgrade error responses provide details of the implementation and the protocol. This may be useful when debugging, but in production it's a security risk.
https://github.com/TooTallNate/Java-WebSocket/blob/30ba037006b8203b56aeb760ee36949b65803175/src/main/java/org/java_websocket/WebSocketImpl.java#L463