Need

Protection of sensitive technical information in server response headers

Context

• Usage of Ruby for building web applications and scripting
• Usage of Rails framework for building web applications
• Usage of Rack for building web applications in Ruby

Description

Non compliant code

        # config/application.rb

module YourApp
  class Application < Rails::Application
    config.middleware.use Rack::Sendfile
  end
end
        
        

In the above code snippet, the Ruby on Rails application is configured to use the Rack::Sendfile middleware. This middleware is used to enable or disable the X-Sendfile feature, which can reveal technical information through the server response headers.

When a client sends a request to the server, the server responds with the requested resource along with some additional information in the form of headers. These headers can contain technical information such as the technology names or component versions used by the server.

In this case, the Rack::Sendfile middleware can add the X-Sendfile header to the response. This header is used to offload the actual file serving from the Ruby process to the front-end web server (like Apache or Nginx). However, the presence of this header can reveal that the application is using Ruby on Rails framework and the Rack middleware, which is a technical information leak.

This information could potentially be used by an attacker to identify specific vulnerabilities associated with these technologies and exploit them. Therefore, it is a good practice to remove or obfuscate such headers to prevent information leakage.

Steps

• Remove or modify the 'Rack::Sendfile' middleware in the application configuration.
• Ensure that sensitive information such as technology names or component versions are not exposed in the response headers.
• Consider using a web server or reverse proxy to handle static file serving instead of relying on the 'Rack::Sendfile' middleware.

Compliant code

        # config/application.rb

module YourApp
  class Application < Rails::Application
    config.middleware.delete Rack::Sendfile
  end
end
        
        

The above code removes the Rack::Sendfile middleware from the application configuration. This middleware is used to serve static files directly from the Rack application, which can potentially expose sensitive information such as technology names or component versions in the server response headers.

By removing this middleware, we are ensuring that such information is not exposed. However, this also means that the application will no longer be able to serve static files directly. Therefore, it is recommended to use a web server or reverse proxy to handle static file serving instead.

This change helps to improve the security of the application by preventing potential information leakage through the server response headers.

References

• 235. Technical information leak - Headers