synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hiranya Jayathilaka <hiranya...@gmail.com>
Subject Re: HTTP Transports Preserving Server Header
Date Mon, 12 Aug 2013 18:51:21 GMT
I went through the HTTP spec, and it looks like the existing Synapse behavior is correct after
all. Here's what the spec has to say:

If the response is being forwarded through a proxy, the proxy application MUST NOT modify
the Server response-header. Instead, it SHOULD include a Via field (as described in section
14.45).

      Note: Revealing the specific software version of the server might
      allow the server machine to become more vulnerable to attacks
      against software that is known to contain security holes. Server
      implementors are encouraged to make this field a configurable
      option.
So may we should keep the current default behavior and perhaps add the "Via" header to the
response, as suggested.

Thanks,
Hiranya

On Aug 11, 2013, at 10:41 PM, Hiranya Jayathilaka <hiranya911@gmail.com> wrote:

> On Aug 11, 2013, at 10:51 AM, Sanjiva Weerawarana <sanjiva@opensource.lk> wrote:
> 
>> IMO the Server head should by default be set by Synapse to say "Apache Synapse vX.Y.Z"
or something like that and have an option to forward that of the backend.
> 
> +1 to the suggested default behavior.
> 
> We already have a (undocumented) configuration option to control this. It's just that
the current default behavior is to pass the "Server" header sent by the backend server.
> 
> Thanks,
> Hiranya
> 
>> 
>> I guess we should probably look at what a reverse proxy like nginx does by default
and do whatever they do .. as that's the role of Synapse in HTTP-HTTP routing.
>> 
>> Sanjiva.
>> 
>> 
>> On Sun, Aug 11, 2013 at 8:23 PM, Rajika Kumarasiri <rajika.kumarasiri@gmail.com>
wrote:
>> I meant it's better not to include that header by default since it can be considered
a security issue. But as you have suggested we also need a way to configure the header. 
>> 
>> Rajika
>> 
>> 
>> On Sun, Aug 11, 2013 at 1:52 AM, Hiranya Jayathilaka <hiranya911@gmail.com>
wrote:
>> Hi Rajika,
>> 
>> On Aug 10, 2013, at 10:42 PM, Rajika Kumarasiri <rajika.kumarasiri@gmail.com>
wrote:
>> 
>>> +1. Should be use-if-available. 
>> 
>> Are you implying that the current behavior is correct (i.e. passing the Http "Server"
header to the client)?
>> 
>> Thanks,
>> Hiranya
>> 
>>> 
>>> Rajika
>>> 
>>> 
>>> On Sun, Aug 11, 2013 at 12:30 AM, Hiranya Jayathilaka <hiranya911@gmail.com>
wrote:
>>> I noticed that both PT and NHTTP transports pass the "Server" header sent from
the backend server to the client. This is the default programmed behavior, and it can be overridden
if needed using a configuration parameter. But is the default behavior correct? Shouldn't
Synapse completely hide the backend server details from the client?
>>> 
>>> Thanks,
>>> Hiranya
>>> 
>>> --
>>> Hiranya Jayathilaka
>>> Mayhem Lab/RACE Lab;
>>> Dept. of Computer Science, UCSB;  http://cs.ucsb.edu
>>> E-mail: hiranya@cs.ucsb.edu;  Mobile: +1 (805) 895-7443
>>> Blog: http://techfeast-hiranya.blogspot.com
>>> 
>>> 
>> 
>> 
>> --
>> Hiranya Jayathilaka
>> Mayhem Lab/RACE Lab;
>> Dept. of Computer Science, UCSB;  http://cs.ucsb.edu
>> E-mail: hiranya@cs.ucsb.edu;  Mobile: +1 (805) 895-7443
>> Blog: http://techfeast-hiranya.blogspot.com
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Sanjiva Weerawarana, Ph.D.
>> Founder, Director & Chief Scientist; Lanka Software Foundation; http://www.opensource.lk/
>> Founder, Chairman & CEO; WSO2; http://wso2.com/
>> 
>> Blog: http://sanjiva.weerawarana.org/
> 
> --
> Hiranya Jayathilaka
> Mayhem Lab/RACE Lab;
> Dept. of Computer Science, UCSB;  http://cs.ucsb.edu
> E-mail: hiranya@cs.ucsb.edu;  Mobile: +1 (805) 895-7443
> Blog: http://techfeast-hiranya.blogspot.com
> 

--
Hiranya Jayathilaka
Mayhem Lab/RACE Lab;
Dept. of Computer Science, UCSB;  http://cs.ucsb.edu
E-mail: hiranya@cs.ucsb.edu;  Mobile: +1 (805) 895-7443
Blog: http://techfeast-hiranya.blogspot.com


Mime
View raw message