Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-17700

Setting sendServerVersion to false does not remove server header

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.13.0, 3.25.1, 2.15.0, 2.15.1
    • Fix Version/s: None
    • Component/s: Configuration

      Description

      It's expected setting sendServerVersion to false in etc/jetty/jetty.xml should remove the server header from a response, however after doing so, the header it is still present.

      <Set name="sendServerVersion"><Property name="jetty.send.server.version" default="true"/>false</Set>

      restart

      curl -I http://localhost:8081

      Sonatype Analysis

      Repository 2.15.0

      Adding this property to conf/nexus.properties will remove the Server header from all responses from Jetty that are not directly handled by our application:

      jetty.httpConfig.sendServerVersion=False
      

      For example if our our application is at web context path /nexus and you make a request to /someotherpath instead, you will get a 404 response without any Server header. This feature is preserved for requests not handled by our application.

      However, there is no supported way to remove the Server header "Server: Nexus/2.15.1-02" when accessing content served from our application.

      Responding with the Server header containing our product name and version is considered by us a valuable effect for debugging and tracing purposes and we have decided so far we do not wish to change. So far, removing the header by justifying it as "security through obscurity" is not outweighing the benefits we observe by retaining it.

      Repository 3

      There is also no ability to completely remove the server header inside our application. Instead we recommend that removal of this header be done at a reverse proxy server level if needed by your organization.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            hardeepn Hardeep Nagra
            CC:
            Peter 'Pessoft' Kolínek
            Last Updated By:
            Joe Tom Joe Tom
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title