Uwebsockets header constitutes a security issue #363
-
The 'Uwebsockets' header is sent by default with any response. While being a great marketing tool, there must be given a way to disable it. Related: #150 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
You already have UWS_HTTPRESPONSE_NO_WRITEMARK to disable this, but you need to build your own binary with it. This software is free and you can do whatever you want with it but by default it does send this header, yes. I want users to keep this header so that's why I have it on by default. I absolutely see no security issue in telling (roughly) what server is in use. Many, many projects and companies do similar things. Besides, it is not that hard to figure out what tech stack a company use - often times they list all their tech in Careers page, etc. |
Beta Was this translation helpful? Give feedback.
-
I understand, thank you for the thorough explaination. |
Beta Was this translation helpful? Give feedback.
You already have UWS_HTTPRESPONSE_NO_WRITEMARK to disable this, but you need to build your own binary with it. This software is free and you can do whatever you want with it but by default it does send this header, yes. I want users to keep this header so that's why I have it on by default.
I absolutely see no security issue in telling (roughly) what server is in use. Many, many projects and companies do similar things. Besides, it is not that hard to figure out what tech stack a company use - often times they list all their tech in Careers page, etc.