How to hide Version information of Angular JS library in the rendered Web response?
testuser270288 opened this issue · 2 comments
AngularJS is in LTS mode
We are no longer accepting changes that are not critical bug fixes into this project.
See https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c for more detail.
I'm submitting a ...
- regression from 1.7.0
- security issue
- issue caused by a new browser version
- other
Current behavior:
When the web page is rendered, I see the version of the angularJS being rendered in the response, which is an issues in terms of application security. Hackers might easily exploit the app by knowing the security loopholes associated with a specific version.
Is there any filter or a mechanism to hide or strip off the version information when the response is returned?
Expected / new behavior:
There should be a mechanism to strip off version information from the respnose.
Minimal reproduction of the problem with instructions:
AngularJS version: 1.3.x
Browser: [all | Chrome XX | Firefox XX | Edge XX | IE XX | Safari XX | Mobile Chrome XX | Android X.X Web Browser | iOS XX Safari | iOS XX UIWebView | iOS XX WKWebView | Opera XX ]
Anything else:
Hiding the version number is not a strong security solution. If a hacker wants to attempt to break into your app because it is using an old version of AngularJS there would be many other fingerprints in the library code that they could use to identify if the application was vulnerable.
Since AngularJS is in LTS mode, and hiding the version number would just be security-by-obscurity, this is not something we will implement in the framework.
Also be aware that even if such a change was made, then it would only be released in supported versions (i.e. 1.8.x) so it would not benefit older versions of AngularJS (e.g. 1.3.x) that are vulnerable to security attacks.
If you still feel it is important to remove such version number information, then you would need to fork your own version of AngularJS for your project.