Kong Headers and Information Leakage

I am currently researching the hardening the Kong API gatway to get it ready for some penetration tests and wanted to resolve the following issue of information leakage in the response headers. As you can see Kong sends back a variety of headers that expose that the server is “Kong”. ‘Server’: ‘Kong/x.x’, ‘Via’: ‘kong/x.x’, ‘X-kong-proxy-latency’: ‘0’, ‘X-kong-upstream-latency’: ‘79’} There appears to be 2 releated issues open on the Kong GitHub here and here.…

»

AWS Summit 2016 London

Last week I attended the AWS Summit in London Excel. The day was a bit of a mixed bag with a fairly slow start in the keynote by Dr. Werner Vogels (Chief Technology Officer, Amazon.com) but some useful bits in the free Hands On session and the breakout sessions later in the afternoon. Keynote As alluded too, the Keynote was more of an overview of the AWS product set punctuated with customer success storys.…

»

Installing Kong for development on Mac

By far the easiest way I have found to get Mashape’s Kong installed for is via Docker. This takes seconds and is about as pain free any install can get. How about installing to develop Kong though? I began following the excellent HelloWorld plugin guide here and I found that the environment setup steps in the article a little light and although I have seen Vagrent scripts here and other guides like this Mac OS installer script I believe the best route - as with most Mac installs - was directly via the Brew install approach here.…

»

Fault tolerance

One of my favourite talks from Qcon this year was Fault tolerance made easy by Uwe Friedrichsen. Uwe’s talk about fault tolerance had a big impact on me (a similar presentation can be seen here and I implore you to watch it). Uwe’s presentation was largely based around the book Release It! which I have since picked up to read myself. I am only half way through and already I would state this is in my top 3 professional books.…

»

Skype attacks IIS

We are currently developing an IIS hosted .NET application at work. Eventually the whole app will be hosted through HTTPS so for now we are doing a lot of the development this way too, thus our local development servers are configured for HTTPS over port 443. One of the devs on the project was setting up their machine yesterday and kept getting the following error in IIS when starting their website: “The process cannot access the file because it is being used by another process.…

»