Server information and X-Powered-By header exposed

Hi, We have had a security report handed to us with some Medium risks and was wondering if these are: 1: actually required to change or just poor reporting and 2: if we can make these changes in a config/setting file or request for the update.

HTTP Strict Transport Security (HSTS) not enforced - configure for HTTPS only
Server information header exposed - solution to remove
X-Powered-By header exposed - solution is to remove

Regards

Hiya @Chang ! Our team is happy to work with you on things like these.

Let me start by explaining where we are today:

  1. We have a dedicated security team and do treat security of our services as a priority.
  2. We get regular third party penetration tests (in addition to hundreds of submissions via our bug bounty program run by hackerone),
  3. And, as part of our SOC2 compliance, we have to address all of the findings that the third party penetration testers, our own team, and hacker one’s team report. Those that we agree are of medium or higher impact all get fixed or plans made to fix them soon. Note that our ratings may not match yours or your tools, but we do put substantial work into separating the wheat from the chaff and address what is problematic.

To address your specific questions:

  1. HSTS configuration is controlled by you as described in our documentation: HTTPS (SSL) | Netlify Docs .
  2. the HTTP header Server is exposed by intention and we do not consider it a vulnerability nor is there any way for you to redact it in our service. Our Support and Operations teams use it constantly in our debugging and also in our service path (to e.g. prevent loops inside our service), so it is very intentional that we return it with every request we process.
  3. We don’t set any X-Powered-By HTTP response header by default, so I guess you can remove that from your own code which must be where it is set :slight_smile:

Hope that helps, but let me know if you have any followup questions.

2 Likes

Thank you very much for a very clear and concise reply. As this was not our project originally, the report was dumped on my desk with the action ‘Fix it!’ with no background information, coupled with the source code in a syntax we don’t support. So I really do appreciate your time and effort along with patience. Hope you have a great day!

1 Like

Glad this was helpful, @Chang . Don’t hesitate to reach out if anything else comes up!