[ZendTo] Feature Request: Option to disable visible version strings

Ricky Boone ricky.boone at gmail.com
Thu Jul 12 16:30:47 BST 2018


I think it would be helpful to include an option that disables the
visibility of the version, at least to non-administrators, that is
normally rendered at the footer of every page.  While there are
absolutely other ways to secure a system, or ways that bad actors
could determine what version you're potentially running, handing out
information like the version string can be a risk if there is a zero
day or other vulnerability.  Several best practices related to
securing a web server include disabling version strings or otherwise
obfuscating the Server header in Apache httpd, for example:

https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)

For the time being, I'm just clearing out the parts of the footer.tpl
template that include this, but I think this would be cleaner to do
within the config.  If I'm going about this the wrong way, let me
know, however I'm still of the opinion that publicly announcing this
level of detail is probably not the most secure option, either.



More information about the ZendTo mailing list