I've got Spaces buckets configured via CDN. When a user goes to the CDN hostname of the bucket without any real file request it will get a general access denied response. But that response reveals the bucket name.

That can be a security risk as it sometime ties into application names or references to other hostnames you're using in the system. No reason to reveal that info to someone requesting the main url for no legit reason.

The bucket name should not be included in the access denied response or it should be a config setting you can disable/enable.