From a08445fc566afdacb247a610330a6a32526a93ca Mon Sep 17 00:00:00 2001
From: "Marco A. Nina Mena" <marco.antonio.nina@processmaker.com>
Date: Mon, 20 Oct 2025 11:32:00 -0400
Subject: [PATCH 1/2] Add middleware hide server headers

---
 ProcessMaker/Http/Kernel.php                  |  1 +
 .../Http/Middleware/HideServerHeaders.php     | 91 +++++++++++++++++++
 config/app.php                                |  3 +
 3 files changed, 95 insertions(+)
 create mode 100644 ProcessMaker/Http/Middleware/HideServerHeaders.php

diff --git a/ProcessMaker/Http/Kernel.php b/ProcessMaker/Http/Kernel.php
index f8a5888430..991672f4b0 100644
--- a/ProcessMaker/Http/Kernel.php
+++ b/ProcessMaker/Http/Kernel.php
@@ -27,6 +27,7 @@ class Kernel extends HttpKernel
         ServerTimingMiddleware::class,
         Middleware\FileSizeCheck::class,
         Middleware\AddTenantHeaders::class,
+        Middleware\HideServerHeaders::class,
     ];
 
     /**
diff --git a/ProcessMaker/Http/Middleware/HideServerHeaders.php b/ProcessMaker/Http/Middleware/HideServerHeaders.php
new file mode 100644
index 0000000000..c46b3a8a77
--- /dev/null
+++ b/ProcessMaker/Http/Middleware/HideServerHeaders.php
@@ -0,0 +1,91 @@
+<?php
+
+namespace ProcessMaker\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class HideServerHeaders
+{
+    /**
+     * Headers that reveal server information and should be removed
+     *
+     * @var array
+     */
+    private $headersToRemove = [
+        // Server identification
+        'Server',
+        'X-Powered-By',
+        'X-AspNet-Version',
+        'X-AspNetMvc-Version',
+
+        // Web technologies and frameworks
+        'X-Generator',
+        'X-Drupal-Cache',
+        'X-Varnish',
+        'X-Cache',
+        'X-Cache-Hits',
+        'X-Framework',
+
+        // Load balancer and proxy information
+        'X-Forwarded-For',
+        'X-Real-IP',
+        'X-Forwarded-Proto',
+        'X-Forwarded-Host',
+        'X-Forwarded-Server',
+        'X-Forwarded-Port',
+
+        // Additional server information
+        'X-Served-By',
+        'X-Cache-Status',
+        'X-Served-From',
+        'X-Content-Source',
+        'X-Request-ID',
+        'X-Request-Id',
+
+        // PHP specific headers
+        'X-PHP-Version',
+        'X-PHP-Originating-Script',
+
+        // Development and debugging headers
+        'X-Debug-Token',
+        'X-Debug-Token-Link',
+        'X-Symfony-Cache',
+    ];
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+
+        // Only remove headers in production or when explicitly configured
+        if ($this->shouldHideHeaders()) {
+            // Remove all server-revealing headers
+            foreach ($this->headersToRemove as $header) {
+                $response->headers->remove($header);
+            }
+
+            // Set a generic server header to avoid revealing the absence
+            $response->headers->set('Server', 'Web Server');
+        }
+
+        return $response;
+    }
+
+    /**
+     * Determine if headers should be hidden based on environment
+     *
+     * @return bool
+     */
+    private function shouldHideHeaders(): bool
+    {
+        // Hide headers in production or when explicitly configured
+        return app()->environment('production') ||
+               config('app.hide_server_headers', false);
+    }
+}
diff --git a/config/app.php b/config/app.php
index 71d8eb15c2..4106d36af8 100644
--- a/config/app.php
+++ b/config/app.php
@@ -41,6 +41,9 @@
     // The timeout length for API calls, in milliseconds (0 for no timeout)
     'api_timeout' => env('API_TIMEOUT', 5000),
 
+    // Hide server headers for security (prevents information disclosure)
+    'hide_server_headers' => env('HIDE_SERVER_HEADERS', true),
+
     // Disables PHP execution in the storage directory
     // TODO Is this config value still used anywhere? :)
     'disable_php_upload_execution' => env('DISABLE_PHP_UPLOAD_EXECUTION', 0),

From 3edc98e89bc9d2775f2ab396faf6738750c2dfe8 Mon Sep 17 00:00:00 2001
From: "Marco A. Nina Mena" <marco.antonio.nina@processmaker.com>
Date: Mon, 20 Oct 2025 15:39:14 -0400
Subject: [PATCH 2/2] Add Name Server

---
 ProcessMaker/Http/Middleware/HideServerHeaders.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/ProcessMaker/Http/Middleware/HideServerHeaders.php b/ProcessMaker/Http/Middleware/HideServerHeaders.php
index c46b3a8a77..31a9258648 100644
--- a/ProcessMaker/Http/Middleware/HideServerHeaders.php
+++ b/ProcessMaker/Http/Middleware/HideServerHeaders.php
@@ -41,8 +41,6 @@ class HideServerHeaders
         'X-Cache-Status',
         'X-Served-From',
         'X-Content-Source',
-        'X-Request-ID',
-        'X-Request-Id',
 
         // PHP specific headers
         'X-PHP-Version',
@@ -71,7 +69,7 @@ public function handle(Request $request, Closure $next): Response
             }
 
             // Set a generic server header to avoid revealing the absence
-            $response->headers->set('Server', 'Web Server');
+            $response->headers->set('Server', 'ProcessMaker Server');
         }
 
         return $response;