The Airflow application reveals server information through HTTP response headers. The following information is provided:
Server: gunicorn/19.9.0. The application also allows access to a default monitoring page /health which provides a small amount of information about the server status.
Business Impact/Attack Scenario
Information regarding the web server, version information, frameworks, development methodology or anything related to the infrastructure of an application may be collected by an attacker. Information gathered may then be used to perform targeted research, vulnerability or exploit development against known components or social engineering style attacks against application owners. Information gathered also increases the likelihood of compromise in the event publicly disclosed vulnerabilities are released.
Remove the information from application’s HTTP headers in response. Modify gunicorn's conf.py and change the following parameter: gunicorn.SERVER_SOFTWARE = '<change_server_info_here>'.