Blog Documentation Book a Demo
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Removing the X-Garden-Version HTTP header response?

somerandomfellowsomerandomfellow New
in General Banter

Yeah, so anyone looking to crack in to a site can't easily see what version it's using, what is the proper code needed to do this (.htaccess preferably)?

Tagged:

Best Answer

  • somerandomfellowsomerandomfellow New
    edited March 2021 Answer ✓

    Negative Ghost Rider. I tried Header unset.. didn't work. Even tried removing through PHP. Didn't work.

    However, I apparently can use mod_rewrite to conditionally set an environment variable on the URL-path and use this to conditionally remove (or unset) the HTTP response header.

    RewriteEngine On

# Set REMOVE_HEADER env var depending on the URL-path
RewriteRule ^bar - [E=REMOVE_HEADER:1]

# Unset the "X-Garden-Version" header if the REMOVE_HEADER is set
Header unset X-Garden-Version env=REMOVE_HEADER

    What is even easier is placing both Header unset and Header always unset in .htaccess.

    Header always unset X-Garden-Version
Header unset X-Garden-Version

    I guess due to the natural order of things, this is what must be done for us Apache country bumkins.

    Edit: You were right that Vanilla's assets are versioned and with that I hate myself.

Answers

  • R_JR_J Admin

    Always keep the software you use up to date. That's where you should invest energy. Hiding and hoping not to be caught is no security concept.

  • somerandomfellowsomerandomfellow New

    I do and follow every practical security standard possible.

    Obscurity is absolutely beneficial and part of hardening a website imo and many others though. Especially considering Vanilla 3.3's codebase has countless vulnerabilities (obviously PHP as well).

    Do you know the answer?

  • R_JR_J Admin

    Well, let me google that for you... ;-)

    "htaccess remove header" => Header unset...

    Don't know if this works, though. By the way: Vanilla's assets normally are versioned, too. You can check if you have been successful with a page like this

  • somerandomfellowsomerandomfellow New
    edited March 2021 Answer ✓

    Negative Ghost Rider. I tried Header unset.. didn't work. Even tried removing through PHP. Didn't work.

    However, I apparently can use mod_rewrite to conditionally set an environment variable on the URL-path and use this to conditionally remove (or unset) the HTTP response header.

    RewriteEngine On

# Set REMOVE_HEADER env var depending on the URL-path
RewriteRule ^bar - [E=REMOVE_HEADER:1]

# Unset the "X-Garden-Version" header if the REMOVE_HEADER is set
Header unset X-Garden-Version env=REMOVE_HEADER

    What is even easier is placing both Header unset and Header always unset in .htaccess.

    Header always unset X-Garden-Version
Header unset X-Garden-Version

    I guess due to the natural order of things, this is what must be done for us Apache country bumkins.

    Edit: You were right that Vanilla's assets are versioned and with that I hate myself.

  • R_JR_J Admin

    You might be able to change that by messing around with the version numbers in the config files.

  • somerandomfellowsomerandomfellow New
    edited March 2021

    I am trying to find the easiest way to mask all the versioning and meta tags while still allowing it to be easily unmasked for debugging.

    Will probably have to just create a plugin.

    Gonna fiddle around, tbd.

Sign In or Register to comment.