Hide Server Header

[josch...@live.de]

Hello,

we had a internal penetration test in our datacenter and one of the findings was, that the wazuh-api is disclosing the Version of aiohttp in the Server header. Is there a way to hide that information?

Best Regards

[josch...@live.de]

I'm talking about this header

[Alexis Rivas]

Hi! hope you're doing well.

Which Wazuh Version are you using?

This situation it's currently patched in Wazuh @ 4.3. At this PR (https://github.com/wazuh/wazuh/pull/9263) you can find related information about those server headers.

Regards!

Alexis

[josch...@live.de]

We are currently using wazuh 4.2.4-1 and will soon update to 4.2.5-1. So the fix would be to wait for 4.3 and then the API won't disclose the Server Version anymore ?(Wazuh or aiohttp ...)

[Alexis Rivas]

Hi!

That's correct, Server information won't be displayed at API response headers.

This fix is currently merged on the master branch of our repository and will be available at Wazuh Version 4.3.

Just for your information, Wazuh 4.3 is being tested at the moment and it's near the product release.

Regards