Manuscript (Case [Issue]22886) Zinc - Zinc should allow custom server string

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Manuscript (Case [Issue]22886) Zinc - Zinc should allow custom server string

Pharo Issue Tracker
Manuscript Notification
avatar
Torsten Bergmann opened Case 22886: Zinc should allow custom server string and assigned it to Torsten Bergmann:
Bug in Project:  Zinc: 1. Pharo Image  •  You are subscribed to this case
With Zinc one is able to implement a custom webserver either to server static/dynamic
pages or a REST API.

On a production machine one wants to foster web security and want to give as less infos
to an outside "hacker" as possible. A specific info about the webserver technology and
version could already give an attacker a chance in testing specific vulnerabilities known
for the exposed technology.

Currently Zinc responds with a server string always telling that the server was done
in "Zinc HTTP Components 1.0 (Pharo/7.0)".

This comes from

ZnConstants defaultServerString

Unfortunately it is hardcoded and not able to influence without hard overwriting of
these methods.

We should improve on that by using a lazy initialized class variable and give a
developer the possibility to set a different server response string:

ZnConstants defaultServerString: "MySecureServerThatDoesNotExposeNameVersionAndTechnology"

Side note 1:
============
This is also helpful if you want to "mock" other server signatures
(act as if the resources come from a Glassfish, Tomcat or other instead of Zinc)

Side note 2:
============
It is known that in most web production scenarios you have a webserver like Apache,
Nginx or other in front caring about headers and others. Nonetheless it is possible
to work without them and therefore it should be possible to set a different server string

To not get out of synch we should also include this into the regular Zinc framework
Priority Priority: 3 – Must Fix Status Status: Work Needed
Assigned To Assigned to: Torsten Bergmann Milestone Milestone: Pharo7.0

Go to Case
No longer need updates? Unsubscribe from this case.

Don't want Manuscript notifications anymore? Update your preferences.

Manuscript

_______________________________________________
Pharo-bugtracker mailing list
[hidden email]
https://lists.gforge.inria.fr/mailman/listinfo/pharo-bugtracker