If you have a Zope 2.8.1 instance with Plone installed, and look at the HTTP headers, which anyone can do, you will see something like this:

Server: Zope/(Zope 2.8.1-final, python 2.3.5, freebsd4) ZServer/1.1 Plone/Unknown

Now this gives a lot of information out to the general public, including potential attackers. What if a security issue comes out for Zope 2.8.1 and you don't hear about it or upgrade? An attacker could simply write a script to check for servers that identify themselves as Zope 2.8.1 and potentially exploit your Zope application, causing untold problems.

You'll first of course need to login via SSH.

You'll now need to edit as follows:

vi /usr/local/zope/281/lib/python/ZServer/HTTPResponse.py

This assumes that you are using Zope 2.8.1. You may need to adjust if you're using a different Zope version.

Scroll all the way down to the end of the file and edit this line:

response._server_version=request.channel.server.SERVER_IDENT

You could for example change it to this:

response._server_version='Apache'

Or you can put any other string in there instead of Apache, for example:

response._server_version='High Speed Rails, Python, Zope, Plone & Me'

response._server_version='All My Servers Are Belong To Me'

Just in case:

rm /usr/local/zope/281/lib/python/ZServer/HTTPResponse.pyc

... and restart your zope:

zopectl restart

Check your New Headers

One way you can view your headers and make sure the change went through is to go here:

http://www.webmaster-toolkit.com/http-header-viewer.shtml

... and enter the url to your zope site.

Conclusion

This is a very small part of any security strategy, but it definitely can be worth implementing.

Questions?

Please contact us with your questions and we will get back to you right away.