You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upgrade error responses provide details of the implementation and the protocol. This may be useful when debugging, but in production it's a security risk.
I don't think there is need to change anything - it is a common practice to report the server implementation and all http servers I know do it. You can pick any site, and do curl -D - -o /dev/null https://example.com | grep -i server and see the server implementation. Apache even reports details like OpenSSL version so I don't see the issue here.
@PhilipRoman The issue is that it isn't necessary to expose the implementation. and if any vulnerabilities exists it makes them easier to exploit. Using your command, I can't find an important website that discloses the server implementation.
"While exposed server information is not necessarily in itself a vulnerability, it is information that can assist attackers in exploiting other vulnerabilities that may exist."
Upgrade error responses provide details of the implementation and the protocol. This may be useful when debugging, but in production it's a security risk.
Java-WebSocket/src/main/java/org/java_websocket/WebSocketImpl.java
Line 463 in 30ba037
The text was updated successfully, but these errors were encountered: