Stanislav Bondarenko · michaelmcleroy · 5fcb9e6c · 5fcb9e6c · 5fcb9e6c
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 2 deletions

CHANGELOG.md CHANGELOG.md +4 -0

chart/Chart.yaml chart/Chart.yaml +1 -1

chart/templates/envoyfilter.yaml chart/templates/envoyfilter.yaml +38 -1

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [1.10.3-bb.1]
+### Changed
+- Add envoyfilter to remove server response header to prevent information disclosure
+
 ## [1.10.3-bb.0]
 ### Changed
 - Update to Istio 1.10.3

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: istio
-version: 1.10.3-bb.0
+version: 1.10.3-bb.1
--- a/chart/templates/envoyfilter.yaml
+++ b/chart/templates/envoyfilter.yaml
@@ -39,4 +39,41 @@ spec:
                      request_handle:respond({[":status"] = "421"}, "Misdirected Request")
                    end
                  end
-                end
\ No newline at end of file
+                end
+---
+{{/*
+Hide server response header
+https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/241
+*/}}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: remove-server-header
+  namespace: istio-system
+spec:
+  workloadSelector:
+    labels:
+      istio: ingressgateway
+  configPatches:
+  - applyTo: NETWORK_FILTER
+    match:
+      context: GATEWAY
+      listener:
+        filterChain:
+          filter:
+            name: "envoy.filters.network.http_connection_manager"
+    patch:
+      operation: MERGE
+      value:
+        typed_config:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          server_header_transformation: PASS_THROUGH
+  - applyTo: ROUTE_CONFIGURATION
+    match:
+      context: GATEWAY
+    patch:
+      operation: MERGE
+      value:
+        response_headers_to_remove:
+        - "x-envoy-upstream-service-time"
+        - "server"