As a security conscious user, (Sign Up Service or any other PCI compliant product)
I would like Repose to stop including the Server header in the response
so that end users don't have unnecessary information about the backend API.
The embedded Jetty server is currently added a Server header with the value "Jetty(9.2.z-SNAPSHOT)" after Repose has done its processing. We can programmatically tell Jetty to not add the header, but it would require a code update.
For now, users can use the Add Header filter to set the Server header themselves which stops Jetty from setting the value.
See link for details:
- Repose should not be setting the "Server" header in the response to the client.
- The dd should not be setting the "Server" header in responses being sent out either.