[ZEPPELIN-4586] Add option to avoid sending Jetty version on headers and on 300/400 pages #3622
Conversation
|
Have you checked the existing ZEPPELIN-2461 where you can custom configure the Header. I feel not sending a header raises more suspicion to the Attacker and won't be a good form of deception. |
|
@krishna-pandey Yes, but I think bot approaches are good here, since the goal is to avoid to show the exact version and target specific known vulnerabilities. And there are users that would like to avoid showing that at all. This PR is just to give more options to users. Let me know what you think 👍 |
My point is "abnormal" or "deviating from normal pattern" makes attacker more curious. Not sending Server version is not a fool-proof way to hide that information, however if someone wants to do that, you just have to put a space char like in below config and you will get below effect
Let me know your thoughts. |
alexott
left a comment
alexott
left a comment
There was a problem hiding this comment.
with small comment about value in template
|
@krishna-pandey Can you please rebase it to master? |
|
LGTM |
|
What is blocking the merging of this PR? |
…and on 300/400 pages ### What is this PR for? A few sentences describing the overall goals of the pull request's commits. First time? Check out the contributing guide - https://zeppelin.apache.org/contribution/contributions.html ### What type of PR is it? [Improvement] ### What is the Jira issue? * https://issues.apache.org/jira/browse/ZEPPELIN-4586 ### How should this be tested? * Travis should pass With default`zeppelin.server.send.jetty.name = true` ``` $ curl -i localhost:8080/nonexisting HTTP/1.1 404 Not Found Date: Fri, 31 Jan 2020 19:16:33 GMT Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: authorization,Content-Type Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE X-FRAME-OPTIONS: SAMEORIGIN X-XSS-Protection: 1 X-Content-Type-Options: nosniff Cache-Control: must-revalidate,no-cache,no-store Content-Type: text/html;charset=iso-8859-1 Content-Length: 328 Server: Jetty(9.4.18.v20190429) <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 404 Not Found</title> </head> <body><h2>HTTP ERROR 404</h2> <p>Problem accessing /nonexisting. Reason: <pre> Not Found</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.18.v20190429</a><hr/> </body> </html> ``` By changing to false `zeppelin.server.send.jetty.name = false` ``` $ curl -i localhost:8080/nonexisting HTTP/1.1 404 Not Found Date: Fri, 31 Jan 2020 19:15:57 GMT Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: authorization,Content-Type Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE X-FRAME-OPTIONS: SAMEORIGIN X-XSS-Protection: 1 X-Content-Type-Options: nosniff Cache-Control: must-revalidate,no-cache,no-store Content-Type: text/html;charset=iso-8859-1 Content-Length: 243 <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 404 Not Found</title> </head> <body><h2>HTTP ERROR 404</h2> <p>Problem accessing /nonexisting. Reason: <pre> Not Found</pre></p> </body> </html> ``` ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? Yes Author: Javier Fuentes <[email protected]> Author: Javier <[email protected]> Closes #3622 from javierivanov/ZEPPELIN-SENDVERSION and squashes the following commits: 44e0474 [Javier Fuentes] fixed template b720757 [Javier Fuentes] fixes 430b92d [Javier] added parameter and doc
4 participants
What is this PR for?
A few sentences describing the overall goals of the pull request's commits.
First time? Check out the contributing guide - https://zeppelin.apache.org/contribution/contributions.html
What type of PR is it?
[Improvement]
What is the Jira issue?
How should this be tested?
With default
zeppelin.server.send.jetty.name = trueBy changing to false
zeppelin.server.send.jetty.name = falseQuestions:
No
No
Yes