[MEDIUM] Missing security headers and server info leakage on web services #34

New issue

Open

opened 2026-05-05 17:51:44 -05:00 by pjennings · 0 comments

pjennings commented 2026-05-05 17:51:44 -05:00

Owner

Copy link

Description

Multiple web-facing services are missing security headers and leaking server information.

Findings

Server Header Leakage

• rp1 (10.1.12.2): Server: Angie (nginx fork)
• 10.1.12.3: Server: Angie
• 10.1.12.4: Server: Angie, X-Powered-By: authentik

Missing Security Headers

• HSTS (Strict-Transport-Security): Not verified on all HTTPS services
• X-Content-Type-Options: May be missing
• X-Frame-Options: May be missing (Authentik has DENY, good)
• Content-Security-Policy: Not verified
• Referrer-Policy: Authentik has same-origin (good)

Risks

1. Information disclosure — server headers reveal software stack
2. Clickjacking — missing X-Frame-Options
3. MIME sniffing — missing X-Content-Type-Options
4. SSL stripping — missing HSTS allows downgrade attacks

Recommendations

Nginx/Angie Configuration

server_tokens off;  # Hide Angie version
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

Authentik

• Remove X-Powered-By: authentik header if possible
• Verify HSTS is enabled

References

• OWASP Secure Headers
• Related: docs/network-scan-2026-05-05.md (Findings F2, F8)

## Description Multiple web-facing services are missing security headers and leaking server information. ## Findings ### Server Header Leakage - **rp1 (10.1.12.2):** `Server: Angie` (nginx fork) - **10.1.12.3:** `Server: Angie` - **10.1.12.4:** `Server: Angie`, `X-Powered-By: authentik` ### Missing Security Headers - **HSTS (Strict-Transport-Security):** Not verified on all HTTPS services - **X-Content-Type-Options:** May be missing - **X-Frame-Options:** May be missing (Authentik has DENY, good) - **Content-Security-Policy:** Not verified - **Referrer-Policy:** Authentik has same-origin (good) ## Risks 1. **Information disclosure** — server headers reveal software stack 2. **Clickjacking** — missing X-Frame-Options 3. **MIME sniffing** — missing X-Content-Type-Options 4. **SSL stripping** — missing HSTS allows downgrade attacks ## Recommendations ### Nginx/Angie Configuration ```nginx server_tokens off; # Hide Angie version add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; ``` ### Authentik - Remove `X-Powered-By: authentik` header if possible - Verify HSTS is enabled ## References - [OWASP Secure Headers](https://owasp.org/www-project-secure-headers/) - Related: docs/network-scan-2026-05-05.md (Findings F2, F8)

pjennings added this to the Security: Medium and Low Findings milestone 2026-05-06 16:48:05 -05:00

pjennings added the

area:security

area:documentation

priority:medium

type:bug

labels 2026-05-06 16:49:30 -05:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

indev

No results found.

Labels

Clear labels   

area:documentation

Documentation, inventory, runbooks

  

area:infrastructure

Infrastructure services and hardware

  

area:network

Network, firewall, and connectivity

  

area:security

Security vulnerabilities and findings

  

priority:critical

Fix immediately — active risk

  

priority:high

Fix within 1-2 weeks

  

priority:low

Backlog — hardening and best practices

  

priority:medium

Fix within 1 month

  

status:blocked

Blocked on dependency or decision

  

type:bug

Misconfiguration or broken behavior

  

type:deployment

New service or system deployment

  

type:enhancement

Improvement or hardening

  

type:investigation

Needs research or identification

No labels

area:documentation

area:infrastructure

area:network

area:security

priority:critical

priority:high

priority:low

priority:medium

status:blocked

type:bug

type:deployment

type:enhancement

type:investigation

Milestone

Clear milestone

No items

No milestone

Security: Medium and Low Findings

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

reinitialized.net/infrastructure#34

No description provided.