cd web2py/gluon grep -r X-Powered-By ./globals.py: self.headers['X-Powered-By'] = 'xping'
воскресенье, 12 апреля 2020 г., 16:02:13 UTC+3 пользователь Yan Wong написал: > > I'm a bit disappointed that web2py by default sets `X-Powered-By: web2py` > in the http header, thus making it easier for web-scanning tools to detect > the software running behind a web site, and allow more targetted attacks. > Is there an easy config option to efficiently turn this off for all pages / > json responses etc served by web2py? Also, are there other ways to obscure > the fact that it is web2py / python running on a web server, and reduce > information disclosure? For example, can anyone detect what python version > I'm running by using web queries: I see that rocket server puts the python > version in the `Server:` header, which seems bad to me, although my > production machine simply returns `Server: nginx` which is a little better, > I suppose. I suspect it will never be possible to obscure the software > entirely, but anything that makes it harder for the script kiddies seems > like an easy win to me. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/568d754e-316b-4cfb-abba-312bd83d549f%40googlegroups.com.
