Web application frameworks and servers often disclose version information by default through HTTP headers.

Why is this an issue?

Version information disclosed by default through HTTP headers is often overlooked by developers, yet it can pose a security risk. Once this information is public, attackers can use it to identify potential vulnerabilities specific to that version. This rule raises an issue when version information is disclosed through HTTP headers such as x-powered-by or Server.

What is the potential impact?

If the disclosed version information indicates the use of outdated or unsupported software, it becomes easier for attackers to exploit known vulnerabilities. They can search for published vulnerabilities related to that version and launch targeted attacks.

How to fix it

Do not disclose version information unless necessary. The x-powered-by or Server HTTP headers should not be used.

Code examples

Noncompliant code example

@GetMapping(value = "/example")
public ResponseEntity<String> example() {
  HttpHeaders responseHeaders = new HttpHeaders();
  responseHeaders.set("x-powered-by", "myproduct1.2.3"); // Noncompliant

  return new ResponseEntity<String>(
      "example",
      responseHeaders,
      HttpStatus.CREATED);
}

Compliant solution

@GetMapping(value = "/example")
public ResponseEntity<String> example() {
  return new ResponseEntity<String>(
      "example",
      HttpStatus.CREATED);
}

Resources

Documentation

Standards