How to disable the X-Pwm-Amb header

grealish / pwm

Automatically exported from code.google.com/p/pwm

0 stars 0 forks source link

How to disable the X-Pwm-Amb header #360

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Hi,

Is there a way to remove the X-Pwm-Amb header? Either in 1.6.4 or trunk?

I mean other than via patching ./servlet/src/password/pwm/SessionFilter.java 
with
<  ServletHelper.addPwmResponseHeaders(pwmApplication, resp, true); 
>  ServletHelper.addPwmResponseHeaders(pwmApplication, resp, false);

and rebuilding the WAR...

Cheers

Original issue reported on code.google.com by lanjelot@gmail.com on 10 Apr 2013 at 6:07

GoogleCodeExporter commented 9 years ago

There is not.  Is it causing a problem or just a matter of ascetics?

Original comment by jrivard on 10 Apr 2013 at 12:38

Changed state: NeedInfo
Added labels: Type-Other
Removed labels: Type-Help

GoogleCodeExporter commented 9 years ago

Does not cause any problem. It just doesn't look too serious when seen on a 
corporate application which uses PWM. It's like, if the Apache httpd would send 
fortune messages by default, Im pretty sure users would like a way to disable 
them.

IMO, there should be a setting to disable each of the X- headers that PWM can 
send, for security & professionalism reasons.

That said, don't get me wrong. As a security auditor, they actually made me 
laugh :)

Original comment by lanjelot@gmail.com on 11 Apr 2013 at 12:51

GoogleCodeExporter commented 9 years ago

Added a PwmConstants.property to control X-Amb header in revision 546.

Original comment by jrivard on 12 Apr 2013 at 11:45

Changed state: Done