Closed james2doyle closed 9 years ago
Question is what you want to achieve with it. From a security point of view this is a technical information disclosure which gives an attacker the exact Phile version. So he would know that a) Phile is used and b) in which version. This makes it easier to find or make use of known vulnerabilities.
@gexclaude +1
good to do it optional through the config.php
in this case
No strong opinion, but leaning to a No. It's a fancy gimmick, but as @gexclaude said it's usually not recommended to expose stack and version details (in header or template comments) for security reasons.
Ok that does make some sense. I think it could be nice "advertising" in having something there to show the site is running Phile. I usually check sites to see what they are running, hence the notes about the Wordpress plugins and such.
So is it not worth having at all?
So is it not worth having at all?
Well, it is not totally bad, if there is some case of usage. I think it should be a configurable option, like expose_php
in php, ServerTokens
and ServerSignature
in apache and so on.
OK, I vote for a single <!-- Made with PhileCMS -->
in the default theme index.html <head>
section.
+1
On Mon, Mar 23, 2015 at 1:28 PM Schlaefer notifications@github.com wrote:
OK, I vote for a single in the default theme index.html
section.
- easy to spot and to remove if you inspect/customize the theme
- no complicated configuration for esoteric features like HTML-headers
— Reply to this email directly or view it on GitHub https://github.com/PhileCMS/Phile/issues/178#issuecomment-85114079.
+1
fixed in #223
This piggybacks off #166 a little. I think it would be cool to have a
X-Phile-Version: 1.3.0
header in the response.You can see examples of this in a bunch of sites. I actually saw that the WP-Super Cache plugin adds
WP-Super-Cache:Served supercache file from PHP
to the response.