workerman
workerman copied to clipboard
walkor
remove header['server'] for security reasons
To increase the security of websites, it is better that no one understands what technologies the program uses
Personally I would prefer an optional setting to customize the server response string, or set to false to disable it altogether.
Add an option is a good way to do that. May be like this:
Http::$exposeServer = false;
hi @xpader @detain
I think it is better not to exist at all Anyone who wants to show in the tabs that you are using workman can post it in the tabs themselves In practice, this eliminates several conditions, and this affects the speed (albeit insignificant).
Security should not just do superficial work, modify the return of the server logo, whether it is confusing or removing, the existing loopholes still exist.
The logo of the server has other uses, and it is also a symbol of server share and a symbol of credibility. Direct deletion is disrespectful to the author.
You can choose to modify the information in the package when you use it yourself, orerwrite the implementation of the HTTP protocol yourself, instead of directly letting the original project delete its identity.
Whether it is Taobao Google or twitter, the response of its website has server.
安全不应该只是做表面的工作,修改 server 标识的返回,无论是迷惑还是去除,存在的的漏洞还是存在的。
server 的标识还有其他用途,也是服务器占有率的象征,和信誉的象征。直接删除是对作者的不尊重。
你可以选择在自己使用时修改包内信息,或者在项目中自己写 HTTP 协议的实现,而不能直接让原项目删除其标识。
无论是淘宝谷歌还是twitter,其网站的响应都有server
I'm with @sangyuxiaowu, the server details must be preserved, but also should be configured as @xpader say.
I can send a PR ASAP with this request, keeping the server signature active by default.
Adding a configuration for that is not cost-effective, and it is speculated that 90% of people will not set it. Deleting server header by passing an empty server header appears to be a compromise solution.
$worker->onMessage = function (TcpConnection $connection, Request $request) {
$response = new Response(200, ['server' => ''], 'body');
$connection->send($response);
};
Yes, @walkor But I think that we need to show the Server header.
If anybody have a problem with that, then put it behind a Proxy. Hide the server name, never will be a solution.
What they want to hide? Workerman? or their app code?
The server only have the header. Your app have the URL. We can hide the URL from your app too. But how will arrive your guests/clients to your app?
Never a server hide the server header. Also very problematic apps, have a lot of security problems, but everybody know the app? Example: wordpress, drupal, ...
Examples with other servers: https://search.brave.com/search?q=security+is+not+hide+server+header&source=web
Any app have a lot of more security problems, than a server!!! It's good to hide the version. But not the server header, or your app URL.
With a security problem, any good hacker check the vulnerability, not the server or app. It's irrelevant the server or app, they only check for the security hole.
The problem is the security hole, is the same where is the hole.
@joanhey all internet related servers has an option to hide de server version to avoid direct atacks agains version vectors.
Apache: ServerSignature Off
nginx: server_tokens off;
PHP: expose_php = off
ProFTPd: ServerIdent off
And there are a lot of more examples.
@eusonlito yes, the server version. Try to disable also the server name to Nginx or Apache.
Nginx: https://www.cyberciti.biz/faq/hide-nginx-version-in-linux-and-unix/ Apache: https://www.petefreitag.com/item/419.cfm
Ok, according to the discussion, keep the server header and remove version information.