Opened 8 years ago

Closed 6 years ago

#452 closed enhancement (no response)

http headers not filtered (server x-powered-by etc)

Reported by: dream Owned by: dream
Priority: minor Milestone: 0.9
Component: apps/i2ptunnel Version: 0.8.4
Keywords: Cc:
Parent Tickets:

Description

The i2ptunnel http server tunnel should have a whitelist of headers it lets through. Among other things, you have to custom patch Apache not to send a "Server: apache" header.

Subtickets

Change History (4)

comment:1 Changed 8 years ago by zzz

  • Component changed from unspecified to apps/i2ptunnel
  • Milestone changed from 0.8.5 to 0.8.6
  • Priority changed from major to minor
  • Type changed from defect to enhancement

"Server" is filtered since 0.8.3. In fact it's code related to that change that is causing the trac login problems (ticket #396 )

As discussed elsewhere (zzz.i2p, or on forum.i2p threads related to irongeek's talk iirc) it's hard to anonymize a server with filtering. Error pages, for example, often contain detailed version info.

I was initially against filtering 'Server' as I thought it didn't do much. But Mathias convinced me that it was easy and we might as well do something. Since we are still having login problems I guess it wasn't so easy.

I don't think we can do it with a whitelist, it would break too much. But extending the blacklist to include a couple others like x-powered-by might be good... once we fix the trac login problem!

comment:2 Changed 8 years ago by zzz

  • Milestone changed from 0.8.6 to 0.9

Trac login problem was fixed a couple releases ago. Server: is now filtered. Would you please make a list of all other headers that you propose to filter?

comment:3 Changed 7 years ago by zzz

  • Owner set to dream
  • Status changed from new to assigned

reassigning to dream for a response

comment:4 Changed 6 years ago by zzz

  • Resolution set to no response
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.