Description
Right now, Ratchet always includes an X-Powered-By HTTP response header exposing the specific Ratchet version. This could potentially be used during reconnaissance to gain more information to prepare following attacks (see #932 and others).
At the moment, there does not appear to be a way to configure Ratchet to control this behavior. I would like to use this ticket as an opportunity to see if the default behavior makes sense, if we should remove this header in its entirety, if we should only include the major version or if we really need an option to control this.
For example, nginx always sends the Server: nginx header with an option to exclude the specific version (server_tokens off). For ReactPHP, we always send the Server: ReactPHP/1 header with only the major version included (reactphp/http#374). PHP always sends the X-Powered-By: PHP/6.0.0 header unless expose_php is off.
In the meantime, you can always avoid this header by configuring your reverse proxy to remove this header. For nginx this should be as easy as:
proxy_hide_header X-Powered-By;
Note that irrespective of this header, the fact that Ratchet is serving the HTTP request can always be determined through other means, such as specific HTTP headers, timing attacks and additional implementation quirks. I do not currently see that this HTTP header alone constitutes a security issue on its own, but I definitely agree that this could contribute to seeing more targeted attacks should any security issues arise.
Any input is welcome 👍