Omit Server
Header from Server Responses by Default
#9769
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR addresses an unnecessary and potentially harmful default setting in the Warp server that automatically includes the
Server
header in all responses, explicitly revealing the server version asWarp/3.3.23
.Problem
The presence of the
Server
header could inadvertently aid attackers by exposing specific software versions, which could be exploited if known security holes are present. The potential risks are outlined in RFC 2068 and further discussed in this article by Troy Hunt. The offending default can be located in the Warp server's source code here.Solution
This PR proposes to disable the Server header by default, significantly reducing the exposure of potentially sensitive information.
I can also revise this to make it configurable if need be; but I think this is a sane default.
Impact
Removing the
Server
header will mainly impact transparency, and should not disrupt functionality. There's a slight chance that clients relying on the header for metrics or logging might be affected. But given that theServer
header offers no functional benefit to client-server interactions, these cases should be rare.Changelog
Component : server
Type: bugfix
Product: community-edition
Short Changelog
Server
header in server responses are omitted.Long Changelog
The
Server
HTTP header is no longer included in server responses by default. This change enhances security by withholding potentially sensitive information about the server version that could aid attackers in identifying known security vulnerabilities. This new default behavior aligns with the recommendations in RFC 2068.Related Issues
Steps to test and verify
Hitting the healthcheck endpoint is the easiest way here :)
Catalog upgrade
Does this PR change Hasura Catalog version?
Metadata
Does this PR add a new Metadata feature?
run_sql
auto manages the new metadata through schema diffing?run_sql
auto manages the definitions of metadata on renaming?export_metadata
/replace_metadata
supports the new metadata added?GraphQL
Breaking changes
No Breaking changes
There are breaking changes:
Metadata API
Existing
query
types:args
payload which is not backward compatibleJSON
schemaGraphQL API
Schema Generation:
NamedType
Schema Resolve:-
null
value for any input fieldsLogging
JSON
schema has changedtype
names have changedOn the off-change that clients rely on the header for metrics or logging - they may experience a degradation. This is a highly unlikely scenario though.