mdn / content

The content behind MDN Web Docs
https://developer.mozilla.org
Other
8.96k stars 22.44k forks source link

Security concern in the HTTP headers Server document #33543

Open lkc0626 opened 1 month ago

lkc0626 commented 1 month ago

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server#directives

What specific section or headline is this issue about?

Directives

What information was incorrect, unhelpful, or incomplete?

The HTTP headers Server documentation includes potentially misleading security advice. It mentions that having "Server" information in the HTTP header can expose the server to exploitation by attackers. However, the directive section suggests that revealing Apache versions helps browsers work around bugs. Instead, developers should patch bugs without exposing vulnerable information to potential attackers. Thus, revealing server information contradicts the security warnings in the document.

Below is the statement from the document: "How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers to work around a bug of the versions with Content-Encoding and Range in combination."

What did you expect to see?

Update the document so that contradicting statements will be removed.

Do you have any supporting links, references, or citations?

RFC-2616 states that server information should be confidential. https://datatracker.ietf.org/doc/html/rfc2616#section-15.1.1

Do you have anything more you want to share?

No response

BrianJDrake commented 1 month ago

The issue as reported is not consistent with its citations.

The MDN page includes this warning (emphasis added):

Avoid overly-detailed Server values ....

It goes on to say (emphasis added):

... exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values.

It suggests that including some information (such as an Apache version) might be a good idea. Therefore, there is no contradiction.

RFC 2616 does not say that server information should be confidential. The linked section 15.1.1 is about logged information about users, which has nothing to do with this issue. Section 14.38, which is about the Server header, says (emphasis added):

Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.

BrianJDrake commented 1 month ago

Despite my comment above, this issue does raise an important point. Including the Server directive to help clients work around server bugs is definitely a bad idea:

  1. It may be a security concern, even if the MDN page as currently written does a poor job of explaining that.
  2. It is not the clients' job to work around server bugs.

On the other hand, omitting the Server directive as a security measure may also be a bad idea (even if it is consistent with the RFC), as it may lead to a false sense of security.

Here are some more general comments:

  1. The MDN Server page references the User-Agent page for the format, but we could also reference that page for security advice (or lack of). Why are we so worried about servers telling clients what software they use, but not at all worried about clients telling servers what software they use?
  2. If you are relying on this sort of security advice, you are probably not qualified to operate a server in the first place. MDN should carefully consider what sort of security advice it includes, and link to other security resources whenever it does include this sort of security advice.