Skip to content

Header leak

Description

The web/application server is leaking tech stack information via HTTP response headers.

Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon, and the vulnerabilities of such components may be subject to the leaked information.

Remediation

Remove headers disclosing server-side software versions.

GraphQL Specific

Apollo To address the header leak issue in the Apollo framework engine, ensure that sensitive information is not included in HTTP headers. Configure the server to remove or obfuscate headers that may reveal details about the backend systems, such as the 'Server', 'X-Powered-By', or custom headers that expose implementation details. Regularly review the headers sent by the server and update the Apollo server configuration to prevent information leakage.
Yoga To address the header leak issue in the Yoga framework engine, ensure that sensitive information is not included in HTTP response headers. Configure the server to remove or obfuscate headers that may reveal details about the underlying software, such as the 'Server', 'X-Powered-By', or custom headers that expose stack traces or error messages. Regularly review the headers sent by the server and apply updates to the Yoga framework and related dependencies to incorporate security patches that prevent header leakage.
Awsappsync To mitigate header leaks in AWS AppSync, ensure that your resolvers do not inadvertently pass sensitive information through HTTP headers. Implement strict output filtering to remove any headers that are not explicitly required for the client's functionality. Additionally, review your logging configuration to prevent sensitive header information from being stored in logs. Regularly audit your API and resolver configurations for security best practices.
Graphqlgo To mitigate the risk of header leaks in a GraphQL Go framework engine, ensure that sensitive information is not included in error messages or logging. Implement proper error handling that sanitizes data before it is sent to the client. Additionally, configure the server to use secure headers and consider employing middleware that can help manage and obscure headers that may contain sensitive information.
Graphqlruby To mitigate header leaks in the GraphQL Ruby framework, ensure that sensitive information is not included in error messages or headers. Implement proper error handling to catch exceptions and sanitize the output. Additionally, configure the GraphQL context to exclude any sensitive data that should not be exposed to clients. Regularly review your code and headers to ensure that no sensitive information is being inadvertently leaked.
Hasura To mitigate header leaks in the Hasura framework engine, ensure that you configure the server to prevent sensitive information from being exposed through HTTP headers. This can be achieved by customizing the `webhook` or `jwt-secret` configurations to avoid sending detailed error messages or server information. Additionally, regularly review and update your security headers to use best practices for HTTP security.
Agoo Configure the Agoo framework to remove or obfuscate server-specific HTTP response headers to prevent tech stack information leakage.
Ariadne Configure the Ariadne framework engine to remove or obfuscate HTTP response headers that reveal server and technology stack details.
Caliban Configure the Caliban framework to remove or obfuscate server-specific HTTP response headers to prevent leakage of tech stack information.
Dgraph Configure the Dgraph server to remove or obfuscate HTTP response headers that reveal technology stack details to prevent information leakage.
Dianajl Configure the DianaJL framework engine to suppress or remove unnecessary HTTP response headers that reveal server or framework details.
Directus Configure the Directus framework to remove or obfuscate HTTP response headers that reveal server or framework details to prevent information leakage.
Flutter Configure the Flutter framework to remove or obfuscate any identifying information in HTTP response headers to prevent tech stack disclosure.
Graphene Configure the Graphene framework to remove or obfuscate HTTP response headers that reveal technology stack details, ensuring sensitive information is not exposed to potential attackers.
Graphqlapiforwp Configure the server to remove or obfuscate HTTP response headers that reveal the GraphQL API for WordPress framework engine version and other sensitive information.
Graphqlgophergo Configure the GraphQL Gopher-Go framework to suppress or remove server-specific HTTP headers to prevent leaking tech stack information.
Graphqljava Disable detailed error messages in GraphQL responses to prevent leaking stack trace information.
Graphqlphp Disable or modify the 'X-Powered-By' header in the GraphQLPHP framework to prevent exposure of the technology stack information.
Graphqlyoga Configure the GraphQL Yoga server to remove or obfuscate HTTP response headers that reveal technology stack details, ensuring sensitive information is not exposed to potential attackers.
Hypergraphql Configure the server to remove or obfuscate HTTP response headers that reveal the HyperGraphQL framework version and other sensitive information.
Jaal Configure the Jaal framework engine to suppress or remove unnecessary HTTP response headers that reveal server or framework details.
Juniper Configure the Juniper framework engine to suppress or remove unnecessary HTTP response headers that reveal server or framework details.
Lacinia Configure the Lacinia framework engine to suppress or remove unnecessary HTTP response headers that reveal server or framework details.
Lighthouse Configure the Lighthouse framework to remove or obfuscate server version details in HTTP response headers to prevent information leakage.
Mercurius Configure Mercurius to hide or remove server-specific headers from HTTP responses to prevent tech stack information leakage.
Morpheusgraphql Configure the Morpheus GraphQL framework to remove or obfuscate HTTP response headers that reveal server and framework details to prevent information leakage.
Qglgen Configure the gqlgen framework to remove or obfuscate HTTP response headers that reveal server or framework details to prevent information leakage.
Sangria Configure the server to remove or obfuscate HTTP response headers that reveal the use of the Sangria framework to prevent information leakage.
Shopify Configure the Shopify platform to remove or obfuscate HTTP response headers that reveal server or framework details to prevent information leakage.
Stepzen Configure the StepZen server to remove or obfuscate HTTP response headers that reveal technology stack details, ensuring sensitive information about the framework and its components is not exposed.
Strawberry Configure the Strawberry Framework engine to suppress or remove server version details from HTTP response headers to prevent information leakage.
Tartiflette Configure the Tartiflette engine to suppress or modify HTTP response headers that reveal technology stack details to prevent information leakage.
Wpgraphql Configure the server to remove or modify HTTP response headers that reveal the use of the WPGraphQL framework to prevent information leakage.

REST Specific

Asp_net Configure the ASP.NET application to remove or replace server headers that disclose detailed version information. This can be achieved by customizing the 'customHeaders' section in the web.config file or by implementing a response filter in the Global.asax.cs to strip out the 'Server' and 'X-AspNet-Version' headers from all outgoing responses.
Ruby_on_rails In the Ruby on Rails framework, configure the application to omit or customize HTTP response headers that reveal detailed version information. In the 'config/environments/production.rb' file, set 'config.action_dispatch.default_headers' to exclude headers like 'X-Powered-By' and 'Server', or use a middleware to filter out these headers before sending the response to the client.
Next_js Configure the Next.js application to remove or customize server-specific HTTP headers. Utilize middleware or custom server configurations to override or omit headers like 'X-Powered-By' that reveal the tech stack. Ensure that the 'server' header is not disclosing detailed version information, and consider using security-related headers such as 'Content-Security-Policy' to enhance protection against client-side attacks.
Laravel In the Laravel framework, to prevent the server from leaking tech stack information via HTTP response headers, you can use middleware to modify or remove headers that disclose sensitive information. Create a custom middleware that strips out headers like 'X-Powered-By', 'Server', or any other headers that reveal details about the underlying technology. Register this middleware in the global middleware stack to ensure it applies to all responses sent by the application.
Express_js Configure the Express.js application to suppress server information from the HTTP response headers. This can be achieved by setting the 'x-powered-by' header to false using app.disable('x-powered-by'), and by using middleware like 'helmet' to remove other common headers that might reveal sensitive information.
Django Configure the Django application to remove or customize the 'X-Powered-By' and 'Server' HTTP response headers that disclose server information. This can be achieved by overriding the default headers using middleware or directly in the Django settings by setting 'SECURE_BROWSER_XSS_FILTER' and 'SECURE_CONTENT_TYPE_NOSNIFF' to True, and using the 'SecurityMiddleware' to remove the headers.
Symfony In the Symfony framework, to prevent leaking tech stack information through HTTP response headers, configure the web server to suppress or modify headers like 'X-Powered-By' and 'Server'. Additionally, use the 'security.headers' configuration in Symfony to remove or customize headers such as 'X-Symfony-Version'. Ensure that the 'expose_php' directive in 'php.ini' is set to 'off' to prevent PHP version disclosure.
Spring_boot In the Spring Boot application, configure the application.properties or application.yml file to include properties that suppress the server version information from the HTTP response headers. Set 'server.servlet.session.tracking-modes=cookie' to prevent the JSESSIONID from being appended to the URL, and use 'server.error.include-stacktrace=never' to avoid stack trace information leakage. Additionally, implement a custom WebSecurityConfigurerAdapter to further customize the HTTP headers using the headers() method to ensure no sensitive information is exposed.
Flask Configure the Flask application to suppress server information in HTTP response headers. This can be achieved by customizing the default Flask response object or by using extensions like Flask-Talisman to set server headers more securely.
Nuxt Configure the Nuxt.js application to suppress or customize server headers. Utilize the `render` configuration in `nuxt.config.js` to remove or modify the `X-Powered-By` header and any other headers that may reveal sensitive information about the server or framework. Additionally, consider using middleware or server configurations to further obscure headers that could leak tech stack details.
Fastapi Configure the FastAPI application to suppress or customize server headers. Utilize middleware to intercept and modify the outgoing response headers, removing or obfuscating headers that reveal server or framework versions and other sensitive details.
Frappe Configure the Frappe framework to remove or obfuscate server-specific HTTP response headers to prevent leakage of tech stack information.
Genzio Configure the Genzio framework engine to remove or obfuscate HTTP response headers that reveal server technology details.
Gin Configure the Gin framework to remove or modify HTTP response headers that reveal server information, such as 'Server' or 'X-Powered-By', to prevent tech stack disclosure.
Gorilla Configure the Gorilla framework to remove or modify HTTP response headers that reveal server information to prevent tech stack disclosure.
Hapi Configure the Hapi server to remove or modify default HTTP headers that reveal technology stack information, such as 'X-Powered-By', to prevent information leakage.
Hono Configure the Hono framework engine to remove or obfuscate HTTP response headers that reveal technology stack details, such as 'Server' and 'X-Powered-By', to prevent information leakage.
Jersey Configure the Jersey framework to suppress server information in HTTP response headers by setting the 'jersey.config.server.suppressHttpHeaders' property to 'true' in your application configuration.
Koa Configure the Koa server to remove or modify HTTP response headers that reveal technology stack details, such as 'X-Powered-By', to prevent information leakage.
Ktor Configure the Ktor server to remove or modify default HTTP response headers to prevent tech stack information leakage.
Leptos Configure the Leptos framework to remove or obfuscate server-specific HTTP headers to prevent tech stack information leakage.
Macaron Configure the Macaron framework to remove or modify HTTP response headers that reveal server information, such as 'X-Powered-By', to prevent tech stack disclosure.
Phoenix Configure the Phoenix framework to remove or modify default HTTP response headers that reveal technology stack details, such as 'server' and 'x-powered-by', to prevent information leakage.
Redwoodjs Configure the RedwoodJS server to remove or obfuscate HTTP response headers that reveal technology stack details, such as 'X-Powered-By', to prevent information leakage.
Rocket Configure the Rocket framework to remove or modify default HTTP response headers to prevent tech stack information leakage.
Sveltekit Configure the SvelteKit server to remove or modify HTTP response headers that reveal technology stack details, such as 'X-Powered-By', to prevent information leakage.

Configuration

Identifier: protocol/header_leak

Examples

Ignore this check

checks:
  protocol/header_leak:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM06:2023
  • pci: 2.2.5
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-6

Classification

  • CWE: 200

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVSS_SCORE: 5.3

References