Information Disclosure via X-Varnish-Server Header
Description
The 'X-Varnish-Server' header discloses information about the Varnish caching server or node processing requests. Attackers who learn which server is handling the cache can potentially tailor exploits to that node’s known vulnerabilities, probe for default configurations, or attempt cache poisoning. Moreover, exposing server details may aid adversaries in mapping your infrastructure, bypassing security controls designed for external traffic only, or synchronizing malicious requests against specific caches. Ultimately, revealing this header increases the application's overall attack surface by divulging internal caching architecture information.
Remediation
Remove or mask the 'X-Varnish-Server' header so that external clients do not learn about the specific Varnish server or node handling requests. Configure your Varnish Cache settings to omit or rewrite technology-identifying headers in production. Keep your Varnish servers up to date with the latest security patches, and regularly audit server logs and configurations to detect anomalies. Consider deploying a Web Application Firewall (WAF) or an intrusion detection system to prevent or mitigate attempts targeting Varnish infrastructure. Periodic reviews of response headers help ensure no sensitive implementation details are inadvertently leaked.
References
https://varnish-cache.org/docs/https://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.3
5.3