-
|
Okay so my team recently deployed Harbor on a K8s cluster with the helmchart, and after deployment the security team ran an audit in which they told us that even when not authenticated, the API is returning the Harbor version, which may represent a security risk. Is there a way for us to limit which info the API returns to non-authenticated folks ? Or should I open an Issue for the devs to just prevent the API to return that info when not authenticated ? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
There are some issues related to that. I suggest creating a rule or content rewrite in your ingress. In the meantime. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, sorry for the late reply. We did leave it like this knowing there was a fix incoming. Thank you for the suggestion tho, really appreciate it. |
Beta Was this translation helpful? Give feedback.
-
For this specific question, we have fixed in the incoming 2.13 release. Could you elaborate any other specific issues that you concerned about? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, sorry for the late reply. The security team was concerned that, knowing the app version so easily, and attacker could easily leverage this knowledge in order to use vulnerabilities known for the version we deployed. Thank you for the patch. |
Beta Was this translation helpful? Give feedback.
For this specific question, we have fixed in the incoming 2.13 release.
#21672
Could you elaborate any other specific issues that you concerned about?