Typical HTTP response from XC:
HTTP/1.1 200 OK
date: Tue, 05 Sep 2023 23:31:43 GMT
content-type: text/html
content-length: 150
server: volt-adc
x-request-id: 0ee5193d69351fd898e2897835004589
x-envoy-upstream-service-time: 42
x-volterra-location: ny8-nyc
I already submitted https://www.f5cloudideas.com/ideas/CNSL-I-320 suggesting we should not include a Server header.
I would go further and suggest that we should not be including any information in standard headers that disclose who we are.
The x-volterra-location
header is such a disclosure, due to 'Volterra; which any actor can quickly discern to be F5 distributed cloud. Silverline, by comparison, inserts the following: Via: 1.1 dca1-bit12010
. This provides the same information without such disclosure. Suggest to change the header name to X-Via:
or whatever is desired.
x-envoy-upstream-service-time:
isn't such a problem because the only identifiable info disclosed is 'envoy'. Though I would argue it should be possible to disable this header injection.
This might seem insignificant but by identifying ourselves on the Internet we increase our risk of becoming a target of opportunity.