Should the version be hidden?

I wonder if it is a good and consistent way to currently:

  • hide the nginx version information from replies in header, but
  • display the exact version and git patch level in html source code of Discourse

If someone has an automated tool searching for unpatched security issues, it is failry easy if the HTML source displays the version in the meta generator tag.

I would suggest to remove that information from anonymous requests at least, perhaps even from all non admin accesses.

3 Likes

I consider this ‚Äúsecurity by obscurity‚ÄĚ which is no real kind of security at all. It‚Äôs better to focus efforts on techniques that actually improve security‚Ķ

2 Likes

Sure, focus should be to have a secure system, not to hide the bugs.

I just wondered why the version of nginx gets hidden and the main app version not.

But then it might be even a question with the imap and smtp protocols if one should display those versions too or hide/change them.

it could be cause nginx is inside the docker container ?

1 Like