Details

    • Type: Story
    • Status: Resolved (View workflow)
    • Priority: High
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 8.5.0.1
    • Component/s: None
    • Labels:
      None
    • Sprint:
      Sprint 140
    • Story Points:
      3
    • Capitalizable:
      True

      Description

      As a security-minded Repose user,
      I want to be able to enable, disable, and customize the via header
      So that bad actors cannot discern that a specific version of Repose is supporting my API.

      Currently, there is no way to prevent Repose from populating the Via header on a HTTP response. The Via header is being populated with a customizable component (configured in the container.cfg.xml file), the word Repose, and the version of Repose. Security does not like offering up all of that information.

      https://github.com/rackerlabs/repose/blob/master/repose-aggregator/core/repose-core/src/main/java/org/openrepose/powerfilter/PowerFilter.java#L448

      https://github.com/rackerlabs/repose/blob/master/repose-aggregator/core/repose-core-api/src/main/resources/META-INF/schema/container/container-configuration.xsd#L99-L105

      https://github.com/rackerlabs/repose/blob/master/repose-aggregator/core/repose-core/src/main/java/org/openrepose/nodeservice/response/ViaResponseHeaderBuilder.java#L38-L42

      Acceptance Criteria:

      • Config exists to turn off via header in the response that is backwards compatible with Repose 8
      • A new element will exist that is mutually exclusive of the existing attribute
      • Existing attribute will be deprecated for removal in Repose 9
      • Ability to customize a portion of the via header will remain (received-by of Via header in spec)
      • If old attribute and new element is missing, use current default behavior:
        • Where spec says: received-protocol RWS received-by [ RWS comment ]
        • Response: received-protocol RWS "Repose" RWS "(Repose/" repose-version ")"
        • Request: received-protocol RWS uri-host [ ":" port ] RWS "(Repose/" repose-version ")"
      • If old attribute is present, use current default behavior:
        • Response: received-protocol RWS configured-value RWS "(Repose/" repose-version ")"
        • Request: received-protocol RWS configured-value RWS "(Repose/" repose-version ")"
      • If new element is present, behave as element is configured.
      • New element will have an optional boolean attribute repose-version that defaults to true to enable/disable adding the Repose version to the response header
      • New element will have an optional String attribute request-prefix to specify the prefix of the Via header in the request
      • New element will have an optional String attribute response-prefix to specify the prefix of the Via header in the response
      • If no response-prefix and repose-version is false, no via header should be added to the response
      • The request header cannot be disabled as it is required according to the spec
      • Need story to define behavior in Repose 9

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                wdschei Bill Scheidegger
                Reporter:
                damien.johnson Damien Johnson
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: