Any ideas/suggestions on how to hide software/server version from Apache Zeppelin? We hired an information security company to perform an external pen-testing in our servers and one of the issues raised was to hide all the software versions being disclosed on application headers/errors messages.
So for example if I execute this command from a terminal:
curl -I -k https://localhost:8181/
It will give this result
HTTP/1.1 200 OK Date: Thu, 16 Jul 2020 03:37:42 GMT Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: authorization,Content-Type Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE Date: Thursday, July 16, 2020 1:37:42 PM AEST Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: authorization,Content-Type Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, HEAD, DELETE Date: Thursday, July 16, 2020 1:37:42 PM AEST Content-Type: text/html Last-Modified: Thu, 08 Jun 2017 09:18:50 GMT Accept-Ranges: bytes Content-Length: 3657 Server: Jetty(9.2.15.v20160210)
How can I hide the Server: Jetty(9.2.15.v20160210) or is it even possible? I'm trying to search but no luck yet on finding a solution for this. Appreciate any help. Thanks in advance! Cheers.
It's possible in the Zeppelin 0.9.0 (not yet released) - it's implemented as part of the ZEPPELIN-4586 and should be available in the 0.9.0-preview2 soon, or you can compile from source yourself. You can look to the documentation in the meantime