Replies: 4 comments 1 reply
-
You don't mention how you've deployed DefectDojo so I'll have to answer generally: For the most deploys of DefectDojo, nginx is used to front the Django app (e.g. the nginx container in docker compose) You can customize the nginx.conf file to set the server_token to off - more information is available from the Nginx docs at https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens Where and how to edit the nginx.conf depends on the deploy used. |
Beta Was this translation helpful? Give feedback.
-
Hi, , although but we are still getting the nginx version on the response http header field. |
Beta Was this translation helpful? Give feedback.
-
Hi @mtesauro, And we've already tested on our env the server_tokens directive to off either the http section and doesn't work. Ideas ? |
Beta Was this translation helpful? Give feedback.
-
I don't know how you have it installed/configured but I either bind-mount in a nginx.config so I can customize it as I want or need or docker build my own version of the Nginx container with my custom nginx.conf included in that build. An example of bind-mounting Nginx conf into the container is at https://github.com/DefectDojo/Community-Contribs/blob/master/CentOS-7-deploy/dojo/docker-compose.yml#L19 |
Beta Was this translation helpful? Give feedback.
-
Hello,
to address an internal security audit we should not display the Server header or at least not showing informative values, following the recommendation of OWASP HTTP Header Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#server
OWASP HTTP Header Cheat Sheet recommendation is to remove this header or set non-informative values. Did you have anything similar like this to address this potential vulnerability i am asking for ?
As most likely we don't have any DD initiative to set this header to OFF, is it possible to customise it with non-informative values ?
Thanks
Beta Was this translation helpful? Give feedback.
All reactions