At one of my customers we're in the process of installing Dynatrace Managed. Security is doing an audit and they have found some information in the HTTP Response Header of the Dynatrace UI that shouldn't be there.
The information is as follows:
Security says that information about what webserver Dynatrace Managed is running on, can be misused by certain individuals. They claim that this information shouldn't be there.
I need to give them an answer why this information is included in the HTTP Response header.
Also, they said that the Web.conf file was visible during one request when they tested the POC-environment over a year ago. Can someone guarantee that this should not be the case?
Can someone help me with this?
Thanks in advance!
Solved! Go to Solution.
information disclosure may be the case - if it is - we will make sure this to hidden.
For the web.conf I’d be very surprised.
Anyway, please open support case so we can track that individually.
Thanks for your answer! Unfortunately, I can't give anymore information because this was feedback from a POC environment that they audited. I just wanted to make sure what Dynatrace's statements were on these points.
If I receive any feedback from Security on the new environment, I'll open a support ticket to discuss these points further 🙂
While we are fixing this in the product, this might be a nginx setting that can be configured in the nginx configuration file.
For reconfiguring nginx settings in Dynatrace Managed, we offer a functionality which is described here: https://www.dynatrace.com/support/help/setup-and-configuration/dynatrace-managed/configuration/configurable-properties-of-dynatrace-managed/
Thanks for your thorough answer. This gives me enough information 🙂