Details
-
Improvement
-
Resolution: Done
-
Major
-
None
Description
The REST endpoint returns information about the Sync Gateway that could be used for a fingerprinting attack (exploit known vulnerabilities in the platform)
Option: On prod environments that are deployed behind an application level load balancer. it would be possible to block access to the / endpoint (or update the response but that would require deep packet inspection) and to configure the load balancer to suppress headers
Enhancement:
Option 1 :
Update default behavior to
- Suppress Sync Gateway version header
- Remove Sync Gateway version information from / response
and then include config options that will continue to
- that would allow headers to return version info
- Update the response to / Endpoint to return specific version information
This would be a breaking change and must be accommodated in a major release.
*Option 2: *
Alternatively, to avoid this being a breaking change so it can be delivered sooner,
- The default behavior is unchanged
Support two config options
- that would allow headers to be suppressed
- restrict the response to / Endpoint to not reveal any specific version information
Specifically
1) The REST endpoint returns the following details in headers
Content-Encoding →gzip
Content-Type →application/json
Server →Couchbase Sync Gateway/2.8.0 EE
Date →Mon, 14 Sep 2020 22:17:12 GMT
Content-Length →760
2) The / endpoint on Sync Gateways' public/ returns the following information.
{
"couchdb": "Welcome",
"vendor":
,
"version": "Couchbase Sync Gateway/2.8.0(365;1ed0c13) EE"
}