[TYPO3] Removing the meta "generator" from header
Christopher Torgalson
bedlamhotel at gmail.com
Wed Dec 5 10:53:53 CET 2007
Hi,
Dmitry Dulepov [typo3] wrote:
> Hi!
>
> Claudio Strizzolo wrote:
>> What I don't like, and would like to avoid, is to show the VERSION of
>> TYPO3 through which the pages were built, basically for security reasons:
>> imagine that I have used a version of TYPO3 that later is discovered to
>> be buggy about security, and I haven't had time to update yet. If the
>> code of the pages shows the version of the software, this could be an
>> hint for malicious people trying to force my system: they might be aware
>> that my web server is using a buggy software and trying to break it.
>> Up to now, TYPO3 has looked solid as a rock to me, but who knows what
>> might happen in the future? Bugs happen.
>> For instance, I find absolutely reasonable that the administrative login
>> page (http://mysite.org/typo3/) does not display the version of TYPO3 in
>> use, for the very same reason.
>
> Now I got it :) Sorry for my misunderstanding :(
>
> Your arguments are very reasonable. At the moment you cannot disable generator meta by configuration but this feature can be added. Do you think making it
>
> <meta name="generator" content="TYPO3 CMS" />
>
> is more secure? This what Apache has, it can report full version or just say "Server: Apache". We can do the same I think.
I don't know how it will fit in with the new install tool, but in the
existing install tool, there is an option to disable the version in the
copyright statement ([SYS][loginCopyrightShowVersion]). It might make
some sense to group any similar new option with this one.
--
Christopher Torgalson / bedlamhotel at gmail.com
More information about the TYPO3-english
mailing list