Custom Phile Header - Githubissues

PhileCMS / Phile

A flat file CMS with a swappable parser and template engine.

https://philecms.github.io/

Other

256 stars 48 forks source link

Custom Phile Header #178

Closed james2doyle closed 9 years ago

james2doyle commented 9 years ago

This piggybacks off #166 a little. I think it would be cool to have a X-Phile-Version: 1.3.0 header in the response.

You can see examples of this in a bunch of sites. I actually saw that the WP-Super Cache plugin adds WP-Super-Cache:Served supercache file from PHP to the response.

gexclaude commented 9 years ago

Question is what you want to achieve with it. From a security point of view this is a technical information disclosure which gives an attacker the exact Phile version. So he would know that a) Phile is used and b) in which version. This makes it easier to find or make use of known vulnerabilities.

Frodox commented 9 years ago

@gexclaude +1 good to do it optional through the config.php in this case

Schlaefer commented 9 years ago

No strong opinion, but leaning to a No. It's a fancy gimmick, but as @gexclaude said it's usually not recommended to expose stack and version details (in header or template comments) for security reasons.

james2doyle commented 9 years ago

Ok that does make some sense. I think it could be nice "advertising" in having something there to show the site is running Phile. I usually check sites to see what they are running, hence the notes about the Wordpress plugins and such.

So is it not worth having at all?

Frodox commented 9 years ago

So is it not worth having at all?

Well, it is not totally bad, if there is some case of usage. I think it should be a configurable option, like expose_php in php, ServerTokens and ServerSignature in apache and so on.

Schlaefer commented 9 years ago

OK, I vote for a single  in the default theme index.html <head> section.

easy to spot and to remove if you inspect/customize the theme
no complicated configuration for esoteric features like HTML-headers

james2doyle commented 9 years ago

On Mon, Mar 23, 2015 at 1:28 PM Schlaefer notifications@github.com wrote:

OK, I vote for a single in the default theme index.html section.

easy to spot and to remove if you inspect/customize the theme

no complicated configuration for esoteric features like HTML-headers

— Reply to this email directly or view it on GitHub https://github.com/PhileCMS/Phile/issues/178#issuecomment-85114079.

X3msnake commented 9 years ago

Schlaefer commented 9 years ago

fixed in #223