By DeepSource

Audit required: Exposure of sensitive headers GO-S0901

Security a05 cwe-200 sans top 25 owasp top 10

Use of headers like "Server", "X-Powered-By" and "X-AspNet-Version" can leak sensitive information of your application and server. If not necessary, usage of these headers should be avoided.

The following possible response headers should be avoided for security reasons:

  • Server - Specifies web server version.
  • X-Powered-By - Indicates that the website is "powered by ASP.NET."
  • X-AspNet-Version - Specifies the version of ASP.NET used.

Bad practice

req, _ := http.NewRequest("GET", "http://example.com", nil)

// Server header's value is leaking information
req.Header.Set("Server", "Apache/2.4.1 (Unix)")