Admin Page Feature Request

Jay · January 31, 2007, 7:54pm

In the age of information awareness and increased security, it became a standard rule to not allow people to do information gathering on your system (at least, as much as possible). I would like it if the HTTP server headers for the admin pages did not give out the OS and Java release information; or at least an option to disable/change it. So instead of:

Server: Jetty/5.1.x (Linux/2.6.18-3-amd64 amd64 java/1.5.0_10

(Which by the way dosnt have a closing parenthesis on it)

Something like this:

Server: Jetty

(Or just leave it off entirely)

LG1 · January 31, 2007, 8:06pm

Hi Jay,

well, the xmpp iq packets to query local time and os are even worse. I use a reverse proxy in front of my web servers which filters out the server header of them but using a privacy list to disable the iq packets is not so cool.

server.setSendServerVersion(false);

should do it in Wildfire’'s source code.

LG

Gaston_Dombiak · January 31, 2007, 8:24pm

Hey guys,

Thanks for the bug/improvement report. I filed JM-946 for this issue and will check in a fix (once I have permission again on SVN).

Regards,

– Gato

Jay · January 31, 2007, 8:27pm

Ick- I didnt know about the iq packets for os (time is ok, that can be determined in so many ways I expect an outsider to be able to figure out what my clock says)

There should be a way to prevent this too (tack it all into the security page or something)