Dev0ps's avatar

how to prevent revealing used technologies name and versions

in my app, i use many technologies. how i can hide them all

Analytics
Google Analytics
JavaScript Framework
Socket.io
Font Script
Google Font API
Web Framework
Bootstrap4.0.0
Programming Language
Node.js
Map
Google Maps
JavaScript Libraries
jQuery3.2.1
Moment.js2.19.2
0 likes
9 replies
Vilfago's avatar

You cannot totally hide them, as the browser need to know what you use in order to show what you want.

But you can merge all of these using laravel-mix in one file, and minimise it. It will be harder for a user to find what you use.

Dev0ps's avatar

thanks man! i mix all of them in app.js still all software able to detect which technologies it was

D9705996's avatar

@DEV0PS - Even when your assets have been minified there will still be signatures that if you know where to look for them will be able to identify the frameworks being used.

There isn't a lot you can do about this if you want to still use the framework.

Why is this an issue?

jlrdw's avatar

If they are open source anyway you shouldn't be hiding them at all. The open-source license should be available.

1 like
D9705996's avatar

@jlrdw - Totally agree, even if its not a legal obligation it should be a moral one. These frameworks save you years of effort rolling your own (usually badly).

However one possible issue is being able to identify the versions in use as this could be used for targeting vulnerable sites. Just another reason to stay on top of you dependencies

Dev0ps's avatar

I completely agree with you guys. My intent is not to gain these libery ownership. And I am not going to do that. For security prospective I just want to make these info hidden. And hiding names and version details doesn't means I'm doing wrong thingh and have wrong intentions. I know the efforts of these library makers put and I appreciate that.

So Please don't make unsubjected suggestions. Thanks

ohffs's avatar

Does running your js stuff through terser with mangling enabled help? I haven't tried it with mix v4 yet - but it's something like :

mix.options({
    terser: {mangle: true},
});

maybe ;-)

1 like
Robstar's avatar

@dev0ps For the JavaScript stuff, especially local assets, you could try obfuscating them.

Programming language, I guess you make it more difficult to discover, but I'd be surprised if you can fully hide it.

Bootstrap 4 - possible, but not worth the effort imo. I'm unsure how me knowing what CSS framework you've used is a security issue.

It's pretty easy with Nginx to hide PHP and server versions.

Overall though, for the majority of those you won't get a lot of benefit security wise.

For example, we all know Laracasts us built using Tailwind CSS, uses moment js, uses Google Analytics, Google fonts and jquery - none of that really helps anyone hack the site :)

You're better off spending time hardening your server security.

Dev0ps's avatar

@robstar thanks man! I try it.

Vulnerabilities are everywhere. That's the reason testing is done by cyber security domain guy and development is done by IT guy.

Please check https://snyk.io/vuln/npm:bootstrap

security is the President show this is our responsibility to protect each and every aspect.

Please or to participate in this conversation.