HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Removing the X-Garden-Version HTTP header response?

Yeah, so anyone looking to crack in to a site can't easily see what version it's using, what is the proper code needed to do this (.htaccess preferably)?

Tagged:

Best Answer

  • edited March 2021 Answer ✓

    Negative Ghost Rider. I tried Header unset.. didn't work. Even tried removing through PHP. Didn't work.

    However, I apparently can use mod_rewrite to conditionally set an environment variable on the URL-path and use this to conditionally remove (or unset) the HTTP response header.

    RewriteEngine On
    
    # Set REMOVE_HEADER env var depending on the URL-path
    RewriteRule ^bar - [E=REMOVE_HEADER:1]
    
    # Unset the "X-Garden-Version" header if the REMOVE_HEADER is set
    Header unset X-Garden-Version env=REMOVE_HEADER
    

    What is even easier is placing both Header unset and Header always unset in .htaccess.

    Header always unset X-Garden-Version
    Header unset X-Garden-Version
    

    I guess due to the natural order of things, this is what must be done for us Apache country bumkins.

    Edit: You were right that Vanilla's assets are versioned and with that I hate myself.

Answers

  • R_JR_J Ex-Fanboy Munich Admin

    Always keep the software you use up to date. That's where you should invest energy. Hiding and hoping not to be caught is no security concept.

  • I do and follow every practical security standard possible.

    Obscurity is absolutely beneficial and part of hardening a website imo and many others though. Especially considering Vanilla 3.3's codebase has countless vulnerabilities (obviously PHP as well).

    Do you know the answer?

  • R_JR_J Ex-Fanboy Munich Admin

    Well, let me google that for you... ;-)

    "htaccess remove header" => Header unset...

    Don't know if this works, though. By the way: Vanilla's assets normally are versioned, too. You can check if you have been successful with a page like this

  • edited March 2021 Answer ✓

    Negative Ghost Rider. I tried Header unset.. didn't work. Even tried removing through PHP. Didn't work.

    However, I apparently can use mod_rewrite to conditionally set an environment variable on the URL-path and use this to conditionally remove (or unset) the HTTP response header.

    RewriteEngine On
    
    # Set REMOVE_HEADER env var depending on the URL-path
    RewriteRule ^bar - [E=REMOVE_HEADER:1]
    
    # Unset the "X-Garden-Version" header if the REMOVE_HEADER is set
    Header unset X-Garden-Version env=REMOVE_HEADER
    

    What is even easier is placing both Header unset and Header always unset in .htaccess.

    Header always unset X-Garden-Version
    Header unset X-Garden-Version
    

    I guess due to the natural order of things, this is what must be done for us Apache country bumkins.

    Edit: You were right that Vanilla's assets are versioned and with that I hate myself.

  • R_JR_J Ex-Fanboy Munich Admin

    You might be able to change that by messing around with the version numbers in the config files.

  • edited March 2021

    I am trying to find the easiest way to mask all the versioning and meta tags while still allowing it to be easily unmasked for debugging.

    Will probably have to just create a plugin.

    Gonna fiddle around, tbd.

Sign In or Register to comment.