Snippet #3: LineRate and Response Header Modification

Web-servers and applications often set response headers that might reveal software identity that is in use like version or technology type. Such information represent an attack vector for would-be attackers.  For example, in RFC 7231 the 'Server' response-header field contains such information like 'Apache/2.4.7 (Ubuntu)' .  In the HTTP 1.1 Specification (RFC 7231), section 9.6 advises discretion when revealing identifying information about client software. This principle applies equally to responses from the servers, but many application developers unwittingly allow their servers to pass on this potentially dangerous information.  It may also be noted that the old HTTP 1.1 Specification (RFC 2616) prohibited such header modification.  Although the 'Via' field may be added to the response header, it is considered optional and therefore not added here.

On that particular subject, here is a quick snippet to remove the 'Server' field and 'X-Powered-By' field (which is a non-standard response field) using LineRate:


"use strict";

var vsm = require('lrs/virtualServerModule');

var requestHandler = function(servReq, servResp, cliReq){
  servReq.on('response', function responseHandler(cliResp){
    cliResp.bindHeaders(servResp);
    servResp.removeHeader("Server");
    servResp.removeHeader("X-Powered-By");
    cliResp.pipe(servResp);
  });
  cliReq();
}

vsm.on('exist', 'myVirtualServer', function(vs) {
  console.log('myVirtualServer started');
  vs.on('request', requestHandler);
});
Updated Jun 06, 2023
Version 2.0
linerate

Was this article helpful?

No CommentsBe the first to comment