a0a00c4cba
For review, have a look to our docs: https://docs.sonarsource.com/sonarqube/9.8/extension-guide/adding-coding-rules/#coding-rule-guidelines This should not be merged by an AppSec member, because it contains message information. It should be merged by someone from SonarJS. --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
18 lines
875 B
Plaintext
18 lines
875 B
Plaintext
== Recommended Secure Coding Practices
|
|
|
|
In general, it is recommended to keep internal technical information within
|
|
internal systems to control what attackers know about the underlying
|
|
architectures. This is known as the "need to know" principle.
|
|
|
|
The most effective solution is to remove version information disclosure from
|
|
what end users can see, such as the "x-powered-by" header. +
|
|
This can be achieved directly through the web application code, server (nginx,
|
|
apache) or firewalls.
|
|
|
|
Disabling the server signature provides additional protection by reducing the
|
|
amount of information available to attackers. Note, however, that this does not
|
|
provide as much protection as regular updates and patches. +
|
|
Security by obscurity is the least foolproof solution of all. It should never
|
|
be the only defense mechanism and should always be combined with other security
|
|
measures.
|