moleske
commented
6 months ago assuming we'll close this draft version of this change
Closed kathap closed 6 months ago
moleske
commented
6 months ago assuming we'll close this draft version of this change
We observed that the server name (Nginx) is leaked in the header and in the body of an error message.
To bolster the security stance of the web application and reduce the likelihood of information exposure, it's highly advised to refrain from divulging the server's name and version in any response data, including error messages.
What the PR changes: adjust NGINX sources by using sed to perform an in-place substitution of the server name before building nginx (Found by @philippthun here)
With this change the server name does not appear any more in any response/error message.
[X] I have viewed signed and have submitted the Contributor License Agreement
[X] I have made this pull request to the
developbranch[ ] I have run CF Acceptance Tests on bosh lite