Yeah, so anyone looking to crack in to a site can't easily see what version it's using, what is the proper code needed to do this (.htaccess preferably)?
Negative Ghost Rider. I tried Header unset.. didn't work. Even tried removing through PHP. Didn't work.
However, I apparently can use mod_rewrite to conditionally set an environment variable on the URL-path and use this to conditionally remove (or unset) the HTTP response header.
# Set REMOVE_HEADER env var depending on the URL-path
RewriteRule ^bar - [E=REMOVE_HEADER:1]
# Unset the "X-Garden-Version" header if the REMOVE_HEADER is set
Header unset X-Garden-Version env=REMOVE_HEADER
What is even easier is placing both Header unset and Header always unset in .htaccess.
Header always unset
Header always unset X-Garden-Version
Header unset X-Garden-Version
I guess due to the natural order of things, this is what must be done for us Apache country bumkins.
Edit: You were right that Vanilla's assets are versioned and with that I hate myself.
Always keep the software you use up to date. That's where you should invest energy. Hiding and hoping not to be caught is no security concept.
I do and follow every practical security standard possible.
Obscurity is absolutely beneficial and part of hardening a website imo and many others though. Especially considering Vanilla 3.3's codebase has countless vulnerabilities (obviously PHP as well).
Do you know the answer?
Well, let me google that for you... ;-)
"htaccess remove header" => Header unset...
Don't know if this works, though. By the way: Vanilla's assets normally are versioned, too. You can check if you have been successful with a page like this
You might be able to change that by messing around with the version numbers in the config files.
I am trying to find the easiest way to mask all the versioning and meta tags while still allowing it to be easily unmasked for debugging.
Will probably have to just create a plugin.
Gonna fiddle around, tbd.