By default, middleware information will be leaked, which may be attacked

[fukamachi]

Can you explain the issue?

[anranyicheng]

yes, example:

(ql:quickload :lack-middleware-session)
(ql:quickload :clack)
(defparameter *app*
  (lambda (env)
    '(200 (:content-type "text/plain") ("Hello, World"))))
(setf *app* (funcall lack.middleware.session:*lack-middleware-session* *app*))
(clack::clackup *app* :server :woo)
(ql:quickload :drakma)
(drakma:http-request "http://127.0.0.1:5000")

get : CL-USER> (drakma:http-request "http://127.0.0.1:5000") "Hello, World" 200 ((:DATE . "Fri, 26 May 2023 08:15:38 GMT") (:CONTENT-TYPE . "text/plain") (:SET-COOKIE . "lack.session=660b44a00864b97c2755c4b40d2edb7747a2e72a; path=/; expires=Tue, 18 Oct 2146 16:29:24 GMT; SameSite=Lax") (:TRANSFER-ENCODING . "chunked"))

<PURI:URI http://127.0.0.1:5000/>

<FLEXI-STREAMS:FLEXI-IO-STREAM {1007FFF353}>

T "OK" a cookie name "lack.session", leak server information by default.