Open willtemperley opened 1 year ago
Feel free to open a PR with a option to disable this
I don't think there is need to change anything - it is a common practice to report the server implementation and all http servers I know do it. You can pick any site, and do curl -D - -o /dev/null https://example.com | grep -i server
and see the server implementation. Apache even reports details like OpenSSL version so I don't see the issue here.
@PhilipRoman The issue is that it isn't necessary to expose the implementation. and if any vulnerabilities exists it makes them easier to exploit. Using your command, I can't find an important website that discloses the server implementation.
"While exposed server information is not necessarily in itself a vulnerability, it is information that can assist attackers in exploiting other vulnerabilities that may exist."
Upgrade error responses provide details of the implementation and the protocol. This may be useful when debugging, but in production it's a security risk.
https://github.com/TooTallNate/Java-WebSocket/blob/30ba037006b8203b56aeb760ee36949b65803175/src/main/java/org/java_websocket/WebSocketImpl.java#L463