Standard way of removing X-Powered-By: web2py http header?

[Yan Wong]

I'm a bit disappointed that web2py by default sets `X-Powered-By: web2py` in the http header, thus making it easier for web-scanning tools to detect the software running behind a web site, and allow more targetted attacks. Is there an easy config option to efficiently turn this off for all pages / json responses etc served by web2py? Also, are there other ways to obscure the fact that it is web2py / python running on a web server, and reduce information disclosure? For example, can anyone detect what python version I'm running by using web queries: I see that rocket server puts the python version in the `Server:` header, which seems bad to me, although my production machine simply returns `Server: nginx` which is a little better, I suppose. I suspect it will never be possible to obscure the software entirely, but anything that makes it harder for the script kiddies seems like an easy win to me.

[Alex Beskopilny]

cd web2py/gluon

grep -r X-Powered-By

./globals.py:        self.headers['X-Powered-By'] = 'xping'

воскресенье, 12 апреля 2020 г., 16:02:13 UTC+3 пользователь Yan Wong написал:

[Massimo Di Pierro]

yes. This can be in the user's code:

response.headers['X-Powered-By'] = 'xping'