Closed gregkeys closed 8 years ago
This a a current response:
HTTP/1.1 101 Switching Protocols
Server: Crossbar/0.12.1
X-Powered-By: AutobahnPython/0.12.1
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Protocol: wamp.2.json
Sec-WebSocket-Accept: GwCnvxuYOCaZOZ2N84URp5klaq8=
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits=13
We might consider adding an option to remove the version string, but I would like to retain the Server: Crossbar
header.
FWIW, here is a response from https://google.de:
alt-svc:quic=":443"; ma=2592000; v="33,32,31,30,29,28,27,26,25"
alternate-protocol:443:quic
cache-control:private, max-age=0
content-encoding:gzip
content-type:text/html; charset=UTF-8
date:Mon, 02 May 2016 06:00:05 GMT
expires:-1
server:gws
status:200
x-frame-options:SAMEORIGIN
x-xss-protection:1; mode=block
Here is https://nginx.com
cache-control:max-age=10800
content-encoding:gzip
content-type:text/html; charset=UTF-8
date:Mon, 02 May 2016 05:59:25 GMT
expires:Mon, 02 May 2016 08:59:25 GMT
link:<https://www.nginx.com/wp-json/>; rel="https://api.w.org/"
link:<https://www.nginx.com/>; rel=shortlink
link:<https://www.nginx.com/wp-json>; rel="https://github.com/WP-API/WP-API"
server:nginx
set-cookie:geoip=DE,02
status:200
strict-transport-security:max-age=31536000
vary:Accept-Encoding
x-pingback:https://www.nginx.com/wordpress/xmlrpc.php
Here is https://mozilla.org
cache-control:max-age=600
cf-cache-status:EXPIRED
cf-ray:29c944d74e670f63-FRA
content-length:0
content-type:text/html; charset=utf-8
date:Mon, 02 May 2016 06:03:14 GMT
expires:Mon, 02 May 2016 06:13:14 GMT
location:https://www.mozilla.org/de/
server:cloudflare-nginx
status:301
vary:Accept-Encoding
x-backend-server:e52e009d5d2a.bedrock-prod.eu-west.moz.works
x-frame-options:DENY
x-robots-tag:noodp
So having the server type (not version, right) in the response is "best practice" ..
Funny how people are trying to save every single byte;) Notice the missing spaces. Valid of course.
I agree we shouldn't leak the version, at least by default. Shall we just remove the /0.0.0
(from both AutobahnPython and Crossbar) or make it optional (i.e. maybe for some reason you'd like to turn the version on?)
i can see the value in getting the version for debugging, can we add it when debug is enabled or better yet add an about end point that can return that sort of info, which could also be restricted in the authorizer / config On May 4, 2016 2:29 PM, "meejah" notifications@github.com wrote:
I agree we shouldn't leak the version, at least by default. Shall we just remove the /0.0.0 (from both AutobahnPython and Crossbar) or make it optional (i.e. maybe for some reason you'd like to turn the version on?)
— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/crossbario/crossbar/issues/770#issuecomment-217009539
@gregkeys you're thinking a WAMP meta-API enhancement, e.g. something like wamp.router.get_info
..?
(Which would return a dict
including e.g. version: "crossbar/0.13.2"
)
We could have a new WebSocket transport option in the crossbar node config to suppress full version on http response headers ..
@oberstet yeah that's what I was originally thinking (or, conversely: default is that it just reports "Crossbar" as that's the safer option and you have to turn it on to get full version output, e.g. for debugging etc usecases).
Just for the record, I don't think it's worth completely suppressing the "Server:" header as it's likely pretty easy to fingerprint what sort of server you're talking to anyway (as justification I point to oberstet's previously-posted results, and note that popular web-server nginx has no way to turn off reporting "Server: nginx" but does allow you to stop reporting the precise version)
Feature is implemented on trunk now
This fix does seem to work for websocket transport, but not for web transport.
With:
transports:
- type: websocket
endpoint:
type: tcp
port: 8080
- type: web
endpoint:
type: tcp
port: 8081
paths:
ws:
type: websocket
I get the following results:
$ curl -sv -o /dev/null localhost:8080 2>&1 |grep Server
< Server: Crossbar
$ curl -sv -o /dev/null localhost:8081 2>&1 |grep Server
< Server: Crossbar/18.9.2
Looks like web transport indeed does not support (undocumented) show_server_version
options:
crossbar.common.checkconfig.InvalidConfigException: 'show_server_version' unknown in Web transport 'options'
Using docker image crossbario/crossbar:pypy3-18.9.2
Crossbar leaks software name and version details in HTTP responses:
Server: Crossbar/0.12.1
This information can be used by an attacker during the reconnaissance phase of an attack. It allows the attacker to determine possible attack vectors and vulnerabilities in the web server and application.
Can you add an option to turn this off?