When accessing a resource which needs authentication and this information is not provided, sabre/dav responds with a 401 and
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:sabredav-version>4.7.0</s:sabredav-version>
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>No 'Authorization: Digest' header found. Either the client didn't send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on </s:message>
</d:error>
This discloses unnecessary information, like the version number (4.7.0) and the underlying framework to a potential attacker.
While it is possible to hide the version number via $exposeVersion = false, it would be great if there was a similar switch to hide xml body and only return a generic 401.
When accessing a resource which needs authentication and this information is not provided, sabre/dav responds with a 401 and
This discloses unnecessary information, like the version number (4.7.0) and the underlying framework to a potential attacker.
While it is possible to hide the version number via
$exposeVersion = false, it would be great if there was a similar switch to hide xml body and only return a generic 401.