Information Disclosure in Response Header names

Typical HTTP response from XC:

HTTP/1.1 200 OK

date: Tue, 05 Sep 2023 23:31:43 GMT
content-type: text/html
content-length: 150
server: volt-adc
x-request-id: 0ee5193d69351fd898e2897835004589
x-envoy-upstream-service-time: 42
x-volterra-location: ny8-nyc

I already submitted suggesting we should not include a Server header.

I would go further and suggest that we should not be including any information in standard headers that disclose who we are.

The x-volterra-location header is such a disclosure, due to 'Volterra; which any actor can quickly discern to be F5 distributed cloud. Silverline, by comparison, inserts the following: Via: 1.1 dca1-bit12010 . This provides the same information without such disclosure. Suggest to change the header name to X-Via: or whatever is desired.

x-envoy-upstream-service-time: isn't such a problem because the only identifiable info disclosed is 'envoy'. Though I would argue it should be possible to disable this header injection.

This might seem insignificant but by identifying ourselves on the Internet we increase our risk of becoming a target of opportunity.

  • Dylan Syme
  • Sep 5 2023
  • Attach files