Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove nginx from response headers and error responses #406

Merged
merged 1 commit into from
Apr 29, 2024
Merged

Remove nginx from response headers and error responses #406

merged 1 commit into from
Apr 29, 2024

Conversation

kathap
Copy link
Contributor

@kathap kathap commented Apr 19, 2024

We observed that the server name (Nginx) is leaked in the header and in the body of an error message.

To bolster the security stance of the web application and reduce the likelihood of information exposure, it's highly advised to refrain from divulging the server's name and version in any response data, including error messages.

What the PR changes: adjust NGINX sources by using sed to perform an in-place substitution of the server name before building nginx (Found by @philippthun here)

With this change the server name does not appear any more in any response/error message.

  • I have viewed signed and have submitted the Contributor License Agreement

  • I have made this pull request to the develop branch

  • I have run CF Acceptance Tests on bosh lite

@kathap
Remove nginx from response headers and error responses
1bacbe1 
We observed that the server name (Nginx) is leaked in the header and in the body of an error message.

To enhance the security posture of the web application and mitigate the risk associated with information
disclosure, it is strongly recommended to not share the server name and/or version in any response
information. This does include any type of error messages.

Solution: adjust NGINX sources by using sed to perform an in-place substitution of the server name before building nginx
@kathap kathap marked this pull request as draft April 19, 2024 15:39
@kathap kathap marked this pull request as ready for review April 23, 2024 14:24
kathap added a commit to cloudfoundry/capi-bara-tests that referenced this pull request Apr 23, 2024
@kathap
Added a test to check if server name is not leaked
8454862 
With capi-release PR cloudfoundry/capi-release#406 the server name will not be any more present in response headers.
This PR adds a test to check the server name is not present in the
response header.
@kathap kathap mentioned this pull request Apr 23, 2024
Merged
kathap added a commit to cloudfoundry/capi-bara-tests that referenced this pull request Apr 23, 2024
@kathap
Added a test to check if server name is not leaked
c9375dd 
With capi-release PR cloudfoundry/capi-release#406 the server name will not be any more present in response headers.
This PR adds a test to check the server name is not present in the
response header.
@moleske
Copy link
Member

moleske commented Apr 29, 2024

assuming we'll close this draft version of this change

@kathap kathap merged commit 4099eea into cloudfoundry:develop Apr 29, 2024
2 checks passed
kathap added a commit to cloudfoundry/capi-bara-tests that referenced this pull request Apr 29, 2024
@kathap
Added a test to check if server name is not leaked (#97)
06c0022 
* Added a test to check if server name is not leaked

With capi-release PR cloudfoundry/capi-release#406 the server name will not be any more present in response headers.
This PR adds a test to check the server name is not present in the
response header.
@kathap kathap mentioned this pull request Apr 29, 2024
Closed
3 tasks
joaopapereira added a commit to joaopapereira/cf-cli that referenced this pull request Jun 18, 2024
@joaopapereira
Remove check for Server header in curl request tests
0e5ca67 
Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

Signed-off-by: João Pereira <joaod@vmware.com>
joaopapereira added a commit to joaopapereira/cf-cli that referenced this pull request Jun 20, 2024
@joaopapereira
Remove check for Server header in curl request tests
db530c1 
Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

Signed-off-by: João Pereira <joaod@vmware.com>
gururajsh pushed a commit to cloudfoundry/cli that referenced this pull request Jun 20, 2024
@joaopapereira
Fix pr issues (#2968)
36abb81 
* Ensure correct pool is being used for PRs

* Use integration workflow directly from unit tests

* Provide secret directly instead of using env variable

* Remove check for Server header in curl request tests

Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

* Change in response from UAA

Starting on version 76.26.0 of UAA a change was made that changes the
behavior more context in cloudfoundry/uaa#2545

Signed-off-by: João Pereira <joaod@vmware.com>
joaopapereira added a commit to joaopapereira/cf-cli that referenced this pull request Jun 20, 2024
@joaopapereira
Remove check for Server header in curl request tests
e1de6dc 
Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

Signed-off-by: João Pereira <joaod@vmware.com>
gururajsh pushed a commit to cloudfoundry/cli that referenced this pull request Jun 20, 2024
@joaopapereira
[v8] Fix pr issues (#2973)
56666f0 
* Ensure correct pool is being used for PRs

* Use integration workflow directly from unit tests

* Provide secret directly instead of using env variable

* Remove check for Server header in curl request tests

Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

* Change in response from UAA

Starting on version 76.26.0 of UAA a change was made that changes the
behavior more context in cloudfoundry/uaa#2545

Signed-off-by: João Pereira <joaod@vmware.com>
joaopapereira added a commit to joaopapereira/cf-cli that referenced this pull request Jun 24, 2024
@joaopapereira
Remove check for Server header in curl request tests
867d09c 
Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

Signed-off-by: João Pereira <joaod@vmware.com>
a-b pushed a commit to cloudfoundry/cli that referenced this pull request Jun 28, 2024
@joaopapereira
[v7] Fix pr issues (#2974)
a52de05 
* Ensure correct pool is being used for PRs
* Use integration workflow directly from unit tests
* Provide secret directly instead of using env variable
* Remove check for Server header in curl request tests

Starting on version 1.181.0, capi will no longer report the version of
the nginx server to ensure that no information is leaked.
For more information check cloudfoundry/capi-release#406

* Change in response from UAA

Starting on version 76.26.0 of UAA a change was made that changes the
behavior more context in cloudfoundry/uaa#2545

* Revert min-capi tests introduction
* Incorrect merge of cherry-pick

Signed-off-by: João Pereira <joaod@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moleske moleske moleske approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kathap @moleske