Should the version be hidden?

Kai_Kretschmann · October 18, 2021, 11:31am

I wonder if it is a good and consistent way to currently:

hide the nginx version information from replies in header, but
display the exact version and git patch level in html source code of Discourse

If someone has an automated tool searching for unpatched security issues, it is failry easy if the HTML source displays the version in the meta generator tag.

I would suggest to remove that information from anonymous requests at least, perhaps even from all non admin accesses.

codinghorror · October 23, 2021, 5:50am

I consider this “security by obscurity” which is no real kind of security at all. It’s better to focus efforts on techniques that actually improve security…

Kai_Kretschmann · October 25, 2021, 5:37am

Sure, focus should be to have a secure system, not to hide the bugs.

I just wondered why the version of nginx gets hidden and the main app version not.

But then it might be even a question with the imap and smtp protocols if one should display those versions too or hide/change them.

IAmGav · October 25, 2021, 5:50pm

it could be cause nginx is inside the docker container ?

Topic		Replies	Views
Show Discourse version on the /about page feature	10	2878	October 28, 2017
How about an easier way to determine version of Discourse by end user feature pr-welcome	22	5116	February 13, 2017
Include version number of Discourse more visibly ux	21	962	March 11, 2023
Does the version of Discourse show anywhere publicly? support	3	660	March 23, 2020
Dockerfile in official install instructions uses unsupported version of Nginx bug	4	562	January 9, 2023

Should the version be hidden?

Related Topics