Skip to content

5.2 Headers - Clarify X-Powered-By #272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pnicolucci opened this issue Nov 9, 2019 · 3 comments · Fixed by #362
Closed

5.2 Headers - Clarify X-Powered-By #272

pnicolucci opened this issue Nov 9, 2019 · 3 comments · Fixed by #362
Labels
Question Further information is requested

Comments

@pnicolucci
Copy link
Contributor

In section 5.2 it states the following:

It is recommended that containers use the X-Powered-By HTTP header to publish its
implementation information. The field value should consist of one or more
implementation types, such as "Servlet/4.0". Optionally, the supplementary
information of the container and the underlying Java platform can be added after the
implementation type within parentheses. The container should be configurable to
suppress this header.
Here’s the examples of this header.
X-Powered-By: Servlet/4.0
X-Powered-By: Servlet/4.0 JSP/2.3 (GlassFish Server Open Source
Edition 5.0 Java/Oracle Corporation/1.8)

I'd like to propose that we either remove the recommendation of adding the X-Powered-By header or at the very least clearly document that it should be disabled by default.

Often times this header is flagged as an information disclosure by security tools. I'd also like to
ensure that there are no compliance tests that check for this header as the spec only says it is
recommended rather than required.

My personal choice would be to remove this totally.
@stuartwdouglas
Copy link
Contributor

+1 to removing this.

@gregw
Copy link
Contributor

gregw commented Nov 11, 2019

+2 as much as it's nice to see evidence of your handy work... most significant deployments turn it off

@gregw gregw added the Question Further information is requested label Jan 18, 2020
@michael-o
Copy link

Often times this header is flagged as an information disclosure by security tools.

Security by obscurity.

@pnicolucci pnicolucci mentioned this issue May 18, 2020
Closed
stuartwdouglas added a commit to stuartwdouglas/servlet-api that referenced this issue Sep 13, 2020
@stuartwdouglas
Remove the X-Powered-By header
24e840f 
Fixes jakartaee#272

Signed-off-by: Stuart Douglas <[email protected]>
@stuartwdouglas stuartwdouglas mentioned this issue Sep 13, 2020
Merged
stuartwdouglas added a commit to stuartwdouglas/servlet-api that referenced this issue Sep 22, 2020
@stuartwdouglas
Remove the X-Powered-By header
9854f4b 
Fixes jakartaee#272

Signed-off-by: Stuart Douglas <[email protected]>
stuartwdouglas added a commit to stuartwdouglas/servlet-api that referenced this issue Oct 13, 2020
@stuartwdouglas
Remove the X-Powered-By header
45e7c84 
Fixes jakartaee#272

Signed-off-by: Stuart Douglas <[email protected]>
stuartwdouglas added a commit to stuartwdouglas/servlet-api that referenced this issue Oct 13, 2020
@stuartwdouglas
Remove the X-Powered-By header
e51a662 
Fixes jakartaee#272

Signed-off-by: Stuart Douglas <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove the X-Powered-By header stuartwdouglas/servlet-api
4 participants
@gregw @stuartwdouglas @michael-o @pnicolucci