Typical HTTP response from XC:

HTTP/1.1 200 OK

date: Tue, 05 Sep 2023 23:31:43 GMT

content-type: text/html

content-length: 150

server: volt-adc

x-request-id: 0ee5193d69351fd898e2897835004589


x-envoy-upstream-service-time: 42

x-volterra-location: ny8-nyc

I already submitted https://www.f5cloudideas.com/ideas/CNSL-I-320 suggesting we should not include a Server header.

I would go further and suggest that we should not be including any information in standard headers that disclose who we are.

The x-volterra-location header is such a disclosure, due to 'Volterra; which any actor can quickly discern to be F5 distributed cloud. Silverline, by comparison, inserts the following: Via: 1.1 dca1-bit12010 . This provides the same information without such disclosure. Suggest to change the header name to X-Via: or whatever is desired.

x-envoy-upstream-service-time: isn't such a problem because the only identifiable info disclosed is 'envoy'. Though I would argue it should be possible to disable this header injection.

This might seem insignificant but by identifying ourselves on the Internet we increase our risk of becoming a target of opportunity.