Should not use 'x-powered-by'

[kdubious]

The system returns a value, orchardcore, in a x-powered-by header.

Why?

Sending these types of HTTP headers:

• does not provide any value to the user experience
• contributes to header bloat
• exposes information to potential attackers about the technology stack being used

[Skrypt]

That's how @sebastienros tracks us 😉

[kdubious]

@Skrypt... all the more reason to kill that header, then. :)

[Skrypt]

https://github.com/OrchardCMS/OrchardCore/blob/8578439874ca91e6c8bf134995b86f9b3e97c2a4/src/OrchardCore/OrchardCore/Modules/PoweredByMiddleware.cs#L46

https://github.com/OrchardCMS/OrchardCore/blob/37459b27a7437d398998e521a650a65172db6b3e/src/OrchardCore/OrchardCore/Modules/Extensions/ApplicationBuilderExtensions.cs#L28

https://github.com/OrchardCMS/OrchardCore/blob/8578439874ca91e6c8bf134995b86f9b3e97c2a4/src/OrchardCore/OrchardCore/Modules/Extensions/PoweredByOrchardCoreExtensions.cs#L15-L38

[hishamco]

I seen such header in many CMS to know it's powered by certain one, but you can disable it if you like as @Skrypt mentioned above

[kdubious]

Excellent!

Would be much safer to be false by default.

for now:

app.UseOrchardCore()
  .UsePoweredByOrchardCore(false);

[Skrypt]

Well, it was a secret ... 😉

[kdubious]

@hishamco I understand, but it's never a good idea to do something insecure by default because you've seen it done other places.

[sebastienros]

It's documented how to disable it.

However we ask users not to do it as it allows us to know how many public websites are using orchardcore. We don't have any data about our main website usage, we don't do any pings back when you open the dashboard. We have literally nothing but this default header. But yet you can disable it with a simple boolean and again, it is documented.

does not provide any value to the user experience

How can we justify the time we spend on this product if there are no users of the product? This is our only way to justify what we do. When your customers ask why they should use Orchard, or if anyone else uses it, aren't you happy we can give them some examples? When my managers ask me what's the point of spending their budget on an open source project, I am glad I can give them some links to websites using our tech. If we don't have that, and only rely on the good will of people mentioning the website they are deploying, I couldn't work on it anymore.

contributes to header bloat

You can disable it if you really think so. But again, take a look at the size of your page, of the whole requests, even the smallest one. If you still can't do it, disable it. But then please file an entry in https://showorchard.com

exposes information to potential attackers about the technology stack being used

Wrong. If one wants to hack a site there are many other ways to guess it. And usually hackers use bots to send the attack without even thinking about what tech is being. Just look at your web logs.

[hishamco]

Could you please elaborate what's the security issues if I expose the CMS or Framework name?

[kdubious]

@sebastienros I didn't read the docs on this item since it was on by default, was just "testing" my site and stumbled on it.

Wrong. If one wants to hack a site there are many other ways to guess it. And usually hackers use bots to send the attack without even thinking about what tech is being. Just look at your web logs.

I hate to be disagreeable, but I am 100% not "wrong". Given a site, yes, I can infer the CMS. (/wp-content). But, given the Internet, and a specific header, I can FIND a site that is targetable. And that's the risk. A malicious user has access to the source code that is running, and can write a spider to locate sites running it.

You can "measure" users other ways, advertising a security risk on the public Internet is dangerous. No need to debate it, making the change is not my decision.

[sebastienros]

exposes information to potential attackers about the technology stack being used

Correct. But it doesn't make it safer more secure to remove it.

Here, did I save it ;)

[kdubious]

Many animals in the wild have what is referred to as a "Fight or Flight Instinct." In reality, there are 3 components... Fight, flight and hide. In very many cases, animals avoid death by hiding. (Some school kids are taught "Run. Hide. Fight." for active shooter situations, a can of worms we can avoid discussing)

Given an animal has a "security issue", hiding is safer than not hiding.

Any argument in favor of keeping it ignores security and is motivated by something else. Of course, it's your choice.

But then please file an entry in https://showorchard.com

Absolutely... in fact, I will submit very many over time. This is an awesome system and I hope to help it be even more awesome in the future.

[kdubious]

@hishamco I think I answered your request to elaborate. Please let me know if I didn't.

[Skrypt]

You could easily parse a HTML page rendered by Orchard to know it's been rendered by Orchard just by looking at the path of files to be honest. Here an example of a stylesheet that comes from the OrchardCore.Resources module.

<link href="/OrchardCore.Resources" ...

Here, the x-powered-by header is just one other way to get to know which CMS is used with a website. At least, we don't provide any hint on the version. But, generally, if you want to target a specific CMS with a bot then you will find many other ways than just using the x-powered-by header to validate your hacks.

Here is one website made with Wordpress in which I just found :

<meta name="generator" content="WordPress 5.5.1" />

So the general rule is to fix issues when they happen simply I think.

[kdubious]

@Skrypt <link href="/OrchardCore.Resources" ...

I just didn't get to that yet. ;)

Without /OrchardCore.Resources and without the header, how else can someone identify a site as an OC site?

PLEASE do not use WP as an example. Search for "how do I fix my hacked WP site." (350,000,000 Results on Bing)

[Skrypt]

Yes, but either they are still arrogant after all these years or they are making huge money with people fixing these.

[kdubious]

When you have HUGE market share (think Internet Explorer in 2009), you can ignore lots of important things.

[Skrypt]

You can find OC websites by finding different repeated patterns in some of our themes ... or it could be just the fact that we use some specific bootstrap theme ... or because the login page is built with these specific html elements in that specific order ... Could name thousands of ways.

The important is that it be secure in the end. Which means, if we find security issues then we need to fix them.

And, of course, the x-powered-by is optional. Not even enforced by the licence. But at least if you remove it, advertise that you are using Orchard Core for us, benevolent contributors 😉

[kdubious]

You can find OC website by different repeated patterns in some of our themes ... or it could be just the fact that we use some specific bootstrap theme

1. I'm pretty sure most bigger sites make their own theme

because the login page is built with these specific html elements in that specific order

2. Possible. Yet easy enough to restrict IP address access to /admin without recompiling code

Could name thousands of ways.

3. I think not and I hope not.

I'm glad to be quiet now. I've said my peace. A site that sends an x-powered-by header is less secure than one that doesn't send it. There are financial reasons to keep that feature on by default, and as a small business owner, I understand financial reasons.

I'm going to close this, but don't want me closing it to seem adversarial.

@sebastienros, would you like to close this?

[Skrypt]

I think everything has been said and sorted out 😄

[sebastienros]

That ended too well, too soon.

[Skrypt]

It didn't it just moved 🐰 https://github.com/OrchardCMS/OrchardCore/issues/8912