Bug in Zinc: 1. Pharo Image
• You are subscribed to this case
With Zinc one is able to implement a custom webserver either to server static/dynamic pages or a REST API.
On a production machine one wants to foster web security and want to give as less infos to an outside "hacker" as possible. A specific info about the webserver technology and version could already give an attacker a chance in testing specific vulnerabilities known for the exposed technology.
Currently Zinc responds with a server string always telling that the server was done in "Zinc HTTP Components 1.0 (Pharo/7.0)".
This comes from
Unfortunately it is hardcoded and not able to influence without hard overwriting of these methods.
We should improve on that by using a lazy initialized class variable and give a developer the possibility to set a different server response string:
Side note 1: ============ This is also helpful if you want to "mock" other server signatures (act as if the resources come from a Glassfish, Tomcat or other instead of Zinc)
Side note 2: ============ It is known that in most web production scenarios you have a webserver like Apache, Nginx or other in front caring about headers and others. Nonetheless it is possible to work without them and therefore it should be possible to set a different server string
To not get out of synch we should also include this into the regular Zinc framework