Uploaded image for project: 'Repose'
  1. REP-4725

Add option to leave out the Server header in the response

    Details

    • Type: Story
    • Status: Resolved (View workflow)
    • Priority: High
    • Resolution: Done
    • Affects versions: None
    • Fix versions: 8.5.0.1
    • Components: None
    • Labels:
      None
    • Sprint:
      Sprint 140
    • Story Points:
      3
    • Capitalizable:
      True

      Description

      As a security conscious user, (Sign Up Service or any other PCI compliant product)
      I would like Repose to stop including the Server header in the response
      so that end users don't have unnecessary information about the backend API.

      The embedded Jetty server is currently added a Server header with the value "Jetty(9.2.z-SNAPSHOT)" after Repose has done its processing. We can programmatically tell Jetty to not add the header, but it would require a code update.

      For now, users can use the Add Header filter to set the Server header themselves which stops Jetty from setting the value.

      See link for details:
      http://stackoverflow.com/questions/15652902/remove-the-http-server-header-in-jetty-9

      Acceptance Criteria:

      • Repose should not be setting the "Server" header in the response to the client.
      • The dd should not be setting the "Server" header in responses being sent out either.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                wdschei Bill Scheidegger
                Reporter:
                mario.lopez Mario Lopez
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: