Protection against XSS by CSP & mask ReGaHss Servername #597
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
the setenv.set-response-header part will overwrite the possibly provided ReGaHss Server name on Lighttpd controlled ports
The HTTP response header will not longer contain
Server: ise GmbH HTTP-Server v2.0
--> it becomesServer: Server
If a system is available on open port 80 by portforwarding, it is not longer identifiable by this special server name
Currently there are 8303 open HomeMatic systems listed: https://www.shodan.io/search?query=ise+GmbH+HTTP-Server+v2.0
It's (a little bit) harder for the attacker to find a HomeMatic system, if the Server HTTP header is obfuscated.
The CSP setting protects against XSS attacks. It needs to allow remote host
*.homematic.com
to be able to load version check java script from http://ccu3-update.homematic.com/firmware/download?cmd=js_check_version&........You may adjust the host name for RaspberryMatic update check, too.