Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-1235

[2.8.x Backport] Customizable HTTP response to "/" (suppress headers)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.1
    • Component/s: SyncGateway
    • Security Level: Public
    • Labels:
      None

      Description

      Originally: https://github.com/couchbase/sync_gateway/issues/3257

       

      As a developer, i should be able to customize the Sync Gateway response to the root path.

      This would typically be done to not reveal the version of the Sync Gateway to HTTP requests to the root path.


      It's less about response customisation and more about an option to protect against fingerprinting.

      https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
      https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)

      I think we can probably mask the Sync Gateway version to some extent, as long as clients don't rely on it for negotiation? The second link has a useful list of remediations.

      It would be impossible to mask the fact that Sync Gateway is the application that is running.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

            Hide
            daniel.petersen Daniel Petersen added a comment -

            And since this will be added to a maintenance release, we don't want any breaking changes so by default this feature needs to be off.

            Show
            daniel.petersen Daniel Petersen added a comment - And since this will be added to a maintenance release, we don't want any breaking changes so by default this feature needs to be off.
            Hide
            build-team Couchbase Build Team added a comment -

            Build sync_gateway-2.8.1-8 contains sync_gateway commit 7d7110b with commit message:
            [2.8.1 Backport] CBG-1235 - Add option to hide product version info from non-admin requests (#4935)

            Show
            build-team Couchbase Build Team added a comment - Build sync_gateway-2.8.1-8 contains sync_gateway commit 7d7110b with commit message: [2.8.1 Backport] CBG-1235 - Add option to hide product version info from non-admin requests (#4935)

              People

              Assignee:
              ben.brooks Ben Brooks
              Reporter:
              ben.brooks Ben Brooks
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes

                    PagerDuty