[TYPO3] Removing the meta "generator" from header
Dmitry Dulepov [typo3]
dmitry at typo3.org
Wed Dec 5 10:38:59 CET 2007
Hi!
Claudio Strizzolo wrote:
> What I don't like, and would like to avoid, is to show the VERSION of
> TYPO3 through which the pages were built, basically for security reasons:
> imagine that I have used a version of TYPO3 that later is discovered to
> be buggy about security, and I haven't had time to update yet. If the
> code of the pages shows the version of the software, this could be an
> hint for malicious people trying to force my system: they might be aware
> that my web server is using a buggy software and trying to break it.
> Up to now, TYPO3 has looked solid as a rock to me, but who knows what
> might happen in the future? Bugs happen.
> For instance, I find absolutely reasonable that the administrative login
> page (http://mysite.org/typo3/) does not display the version of TYPO3 in
> use, for the very same reason.
Now I got it :) Sorry for my misunderstanding :(
Your arguments are very reasonable. At the moment you cannot disable generator meta by configuration but this feature can be added. Do you think making it
<meta name="generator" content="TYPO3 CMS" />
is more secure? This what Apache has, it can report full version or just say "Server: Apache". We can do the same I think.
--
Dmitry Dulepov
TYPO3 core team
Web: http://typo3bloke.net/
Skype: callto:liels_bugs
"Nothing is impossible. There are only limits to our knowledge"
More information about the TYPO3-english
mailing list