Details
-
Task
-
Resolution: Fixed
-
Major
-
None
-
Security Level: Public
-
None
-
CBG Sprint 65
-
5
Description
Originally: https://github.com/couchbase/sync_gateway/issues/3257
As a developer, i should be able to customize the Sync Gateway response to the root path.
This would typically be done to not reveal the version of the Sync Gateway to HTTP requests to the root path.
It's less about response customisation and more about an option to protect against fingerprinting.
https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
https://www.owasp.org/index.php/Fingerprint_Web_Application_(OTG-INFO-009)
I think we can probably mask the Sync Gateway version to some extent, as long as clients don't rely on it for negotiation? The second link has a useful list of remediations.
It would be impossible to mask the fact that Sync Gateway is the application that is running.