Hi,
All response headers of requests in my website has "Server: Pythonanywhere" info. For security reasons, I tried to remove that info from response header by using flask "@app.after_request" function but it didnt' work. There is no "Server" info in the header that is catching by the function. I would like to ask you that do you have any ideas to help me with this?
There is no way to remove that from the inside user's account. What kind of security threat does that introduce?
This may give clues to malicious people about both back-end programming language and host of the web applicaiton. For example, they can try brute force to crack both e-mail - password and authentication code on PythonAnyWhere login page.
The recommendation for this kind of situations exists under the server title in the following cheat sheet of The Open Web Application Security Project (OWASP):
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
We've already followed the recommendation there by providing a non-informative header - it provides no information about the server software and version.
If you're concerned about brute forcing on the login page, we have rate limiting on that page and you can also use 2FA to make your account more secure or just use a strong password.
Hello, I am facing the same behavior with Django and header modification middleware. It is possibly not a security issue but a privacy one; it disclosed a relationship with Pythonanywhere, for example, that some users may not want there. Could this header response be modified in a "per user" mode on the web app setting page?
Unfortunately not, but I will add it to our list of suggested enhancements.
Koray
|
13
posts
|
fjl
|
4352
posts
|
PythonAnywhere staff
|
