Should the version be hidden?

Kai_Kretschmann · October 18, 2021, 11:31am

I wonder if it is a good and consistent way to currently:

hide the nginx version information from replies in header, but
display the exact version and git patch level in html source code of Discourse

If someone has an automated tool searching for unpatched security issues, it is failry easy if the HTML source displays the version in the meta generator tag.

I would suggest to remove that information from anonymous requests at least, perhaps even from all non admin accesses.

codinghorror · October 23, 2021, 5:50am

I consider this “security by obscurity” which is no real kind of security at all. It’s better to focus efforts on techniques that actually improve security…

Kai_Kretschmann · October 25, 2021, 5:37am

Sure, focus should be to have a secure system, not to hide the bugs.

I just wondered why the version of nginx gets hidden and the main app version not.

But then it might be even a question with the imap and smtp protocols if one should display those versions too or hide/change them.

IAmGav · October 25, 2021, 5:50pm

it could be cause nginx is inside the docker container ?

Topic		Replies	Views
Show Discourse version on the /about page Feature	11	2972	May 11, 2024
How about an easier way to determine version of Discourse by end user Feature	23	5310	May 11, 2024
Include version number of Discourse more visibly UX	21	1277	March 11, 2023
Does the version of Discourse show anywhere publicly? Support	3	721	March 23, 2020
Include version number in ‘Powered by Discourse’ UX powered-by-discourse	8	249	May 10, 2024

Should the version be hidden?

Related Topics