Hide Gitea's version also in page source #9491

New Issue

GiteaMirror · 2025-11-02T08:40:35-06:00

GiteaMirror commented

2025-11-02 08:40:35 -06:00

Originally created by @efelon on GitHub (Aug 31, 2022).

Description

Referencing #5271, where the version of gitea is hidden in the footer by using the corresponding configuration value SHOW_FOOTER_VERSION, mainly for security concerns.

To make it consistent it would be good to also hide the version in the page source. This is visible also for unauthenticated users:

<script>
	<!--   -->
	window.addEventListener('error', function(e) {window._globalHandlerErrors=window._globalHandlerErrors||[]; window._globalHandlerErrors.push(e);});
	window.config = {
		appVer: '1.17.1',

Gitea Version

1.17.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Release Package on Debian.

Database

MySQL

Originally created by @efelon on GitHub (Aug 31, 2022). ### Description Referencing #5271, where the version of gitea is hidden in the footer by using the corresponding configuration value `SHOW_FOOTER_VERSION`, mainly for security concerns. To make it consistent it would be good to also hide the version in the page source. This is visible also for unauthenticated users: ``` <script>  window.addEventListener('error', function(e) {window._globalHandlerErrors=window._globalHandlerErrors||[]; window._globalHandlerErrors.push(e);}); window.config = { appVer: '1.17.1', ``` ### Gitea Version 1.17.1 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Release Package on Debian. ### Database MySQL

GiteaMirror added the type/enhancement label 2025-11-02 08:40:35 -06:00

GiteaMirror closed this issue

2025-11-02 08:40:35 -06:00

GiteaMirror commented

2025-11-02 08:40:36 -06:00

@JakobDev commented on GitHub (Sep 1, 2022):

It is also possible the get the version through the API. This should also be disabled in case the version should be hidden.

@JakobDev commented on GitHub (Sep 1, 2022): It is also possible the get the version through the API. This should also be disabled in case the version should be hidden.

GiteaMirror commented

2025-11-02 08:40:36 -06:00

@wxiaoguang commented on GitHub (Sep 1, 2022):

Not only in the API, but the fingerprint also exists in many resource names like script.hash.js or script.js?v=hash. Usually the the hash comes from the version string or it is a one-one mapping relation with the version. So, reading the hash makes the readers know that which version the app is. For example, you will also see index.css?v=7ea14c4ca3b4ece8917e08968da69260 in the page source code, the 7ea14c4ca3b4ece8917e08968da69260 is MD5('1.17.1').

Hiding the version in the footer will help to prevent from the version being crawled by search engines, which can help to reduce the chance to be found by attackers doing google search like "app-name version".

However, hiding version in everywhere doesn't help much for security, as said above, there are too many clues, and an attacker could just ignore the version and try all vulnerabilities on the app no matter what version the app is.

There could be a workaround for people who do not want to see the version: compile from source and change the version variable.

If most people prefer to hide all versions completely, a new option should be used instead of SHOW_FOOTER_VERSION (because there are many different places: the resource name, the API, the footer, etc). And it should be designed with more thoughts, eg: should it hide the hash clues as well?

@wxiaoguang commented on GitHub (Sep 1, 2022): Not only in the API, but the fingerprint also exists in many resource names like `script.hash.js` or `script.js?v=hash`. Usually the the hash comes from the version string or it is a one-one mapping relation with the version. So, reading the hash makes the readers know that which version the app is. For example, you will also see `index.css?v=7ea14c4ca3b4ece8917e08968da69260` in the page source code, the `7ea14c4ca3b4ece8917e08968da69260` is `MD5('1.17.1')`. Hiding the version in the footer will help to prevent from the version being crawled by search engines, which can help to reduce the chance to be found by attackers doing google search like "app-name version". However, hiding version in everywhere doesn't help much for security, as said above, there are too many clues, and an attacker could just ignore the version and try all vulnerabilities on the app no matter what version the app is. ---- There could be a workaround for people who do not want to see the version: compile from source and change the version variable. If most people prefer to hide all versions completely, a new option should be used instead of SHOW_FOOTER_VERSION (because there are many different places: the resource name, the API, the footer, etc). And it should be designed with more thoughts, eg: should it hide the hash clues as well?

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#9491