As a security-minded Repose user,
I want to be able to enable, disable, and customize the via header
So that bad actors cannot discern that a specific version of Repose is supporting my API.
Currently, there is no way to prevent Repose from populating the Via header on a HTTP response. The Via header is being populated with a customizable component (configured in the container.cfg.xml file), the word Repose, and the version of Repose. Security does not like offering up all of that information.
- Config exists to turn off via header in the response that is backwards compatible with Repose 8
- A new element will exist that is mutually exclusive of the existing attribute
- Existing attribute will be deprecated for removal in Repose 9
- Ability to customize a portion of the via header will remain (received-by of Via header in spec)
- If old attribute and new element is missing, use current default behavior:
- Where spec says: received-protocol RWS received-by [ RWS comment ]
- Response: received-protocol RWS "Repose" RWS "(Repose/" repose-version ")"
- Request: received-protocol RWS uri-host [ ":" port ] RWS "(Repose/" repose-version ")"
- If old attribute is present, use current default behavior:
- Response: received-protocol RWS configured-value RWS "(Repose/" repose-version ")"
- Request: received-protocol RWS configured-value RWS "(Repose/" repose-version ")"
- If new element is present, behave as element is configured.
- New element will have an optional boolean attribute repose-version that defaults to true to enable/disable adding the Repose version to the response header
- New element will have an optional String attribute request-prefix to specify the prefix of the Via header in the request
- New element will have an optional String attribute response-prefix to specify the prefix of the Via header in the response
- If no response-prefix and repose-version is false, no via header should be added to the response
- The request header cannot be disabled as it is required according to the spec
- Need story to define behavior in Repose 9