Make it possible to hide version number from page source

(Richard - #1

Every page served from Discourse contains the Discourse version number, and the Git version.
This could be problematic from a security perspective since this can quickly identify vulnerable versions of the software, if a security issue is ever found. I think it would be a good idea to turn this off by default, or to make this at least something that can be turned off.

Remove Discourse meta tag
(Sam Saffron) #2

I am open to making it possible to turn it off, but I am less happy about shipping this with default off for at least another 6-12 months.

The advantage of being able to quickly figure out if people are “really” running latest code outweighs the security risk here for now.

When we have a stable release cycle then I am more open to disabling by default, but keep in mind people can always easily do feature detection to find the version. You isolate a route missing from a particular revisions and hit it. Or you could look at the javascript … etc … etc.

(Richard - #3

That sounds like a good reason and compromise.

(Ildar Abdulin) #4

Yep, ability to optionally turn it off will be enough

(Kyle Decker) #5

As someone not so experienced with the technical side of things, such an on/off switch sounds superfluous and confusing for most administrators. It seems like someone with malicious intent would be able to wreak havoc whether or not the version is explicitly stated. It’s like leaving a window open (i.e. a security flaw in the code) and hoping a burglar doesn’t break in just because you hid the welcome mat.

(Richard - #6

At the risk of introducing another incorrect metaphor: no, it’s like leaving a window open and putting up a sign in the front yard stating that a window at the back is open, allowing people to identify houses with an open window much more quickly.

ISO 27002 12.5.4 states that an application should reveal as little information as possible to lower the risk of being attacked. It is generally considered good practice to hide version numbers from internet servers and applications. Want to be taken seriously? Make sure Discourse passes an security audit. Want to play safe there? Make it possible to hide the version number.

And it’s also good practice to make something secure out of the box. So I propose that as soon as Discourse is stable enough, this setting is turned on by default. Let’s not make the same mistake all the other applications made.

(Kyle Decker) #7

Ah, fair enough. As I said, I’m not very experienced with this sort of stuff. The discussion made it sound like an unnecessary complexity.

(Hugo Almeida) #8

Why not show the version number at the admin main page?

(Jeff Atwood) #9

It is already shown there, have you looked?

(David Celis) #10

If it’s shown at the admin main page, then why put it in the source of every other page? Only the admin really needs to see it. Regular users can’t check out the latest git rev and update the code.

(Sam Saffron) #11

Sure, but when I am visiting the various installs out there I can now easily tell what version they are on, and prod them to upgrade if they are on old buggier versions. The users of the site can do that do if they are savvy

(Jeff Atwood) #12

Even after V1, I am not entirely sure that removing Discourse version # from source is a good idea. There are other ways to figure it out, if you’re determined…

(lid) #13

security through obscurity == no security

if an attacker is targeting a website or a platform. Its unlikely that he will check for a version before applying an exploit.
It is much easier to just do it. there is 50/50 chance either the site is vulnerable or it isn’t.

(Mitchell Krog) #14

I know all about security through obscurity, that’s not the reason I would like to be able to disable the <meta generator tag. Is this achievable at all?

(Sam Saffron) #15

Not without a plugin that re-writes bits of core. If you are really really wanting this feature submit a PR to make it configurable.

(Mitchell Krog) #16

Thanks @sam I figured as much, not quite ready to be writing plugins intercepting bits of core code just yet :smile: