|
With Zinc one is able to implement a custom webserver either to serve static/dynamic pages, a REST API or other.
On a production machine one wants to foster web security and want to give as less infos to an outside "hacker" as possible. A specific info about the webserver technology and version could already give an attacker a chance in testing specific vulnerabilities known for the exposed technology.
Currently Zinc responds with a server string always telling that the server was done in "Zinc HTTP Components 1.0 (Pharo/7.0)".
This comes from
ZnConstants defaultServerString
Unfortunately it is hardcoded and not able to influence without hard overwriting of these methods.
We should improve on that by using a lazy initialized class variable and give a developer the possibility to set a different server response string:
ZnConstants defaultServerString: "MySecureServerThatDoesNotExposeNameVersionAndTechnology"
Side note 1: ============ This is also helpful if you want to "mock" other server signatures (act as if the resources a Zinc response come from a Glassfish, Tomcat or other instead of Zinc Pharo )
Side note 2: ============ It is known that in most web production scenarios you have a webserver like Apache, Nginx or other in front caring about headers and others. Nonetheless it is possible to work without them and therefore it should be possible to set a different server string
To not get out of synch we should also include this into the regular Zinc framework
|
|
|
Priority: 3 – Must Fix
|
|
Status: Resolved (Fix Review Needed)
|
|
Assigned to: Torsten Bergmann
|
|
Milestone: Pharo7.0
|
Go to Case
|
|