Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56217

Allow version HTTP header to be hidden

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      extended-security-settings-1.2

      Description

      It would be nice to have a option (-D or something similar) to hide the version information of the running jenkins master instance.

      This would avoid (make it harder) for hackers to attack a jenkins instance which has known vulnerabilities. 

      Currently the website shows in the footer the current running jenkins version.

      I would like to hide this information or overwrite it with "-1" or similar. Such option can be set a java system property.

      We are running jenkins master as WAR archive inside a tomcat container. So the java system property would be the best way to solve this.

       

      PS: feel free to change the component .. there seems to be no component for jenkins master or the general UI available.

        Attachments

          Activity

          Hide
          jvz Matt Sicker added a comment -

          We've discovered several more areas where the Jenkins version is present that would be non-trivial to remove. For example, jenkins-cli.jar is available through an unprotected URL, and inside that jar contains both the MANIFEST.MF and pom.xml that contain the Jenkins version.

          Show
          jvz Matt Sicker added a comment - We've discovered several more areas where the Jenkins version is present that would be non-trivial to remove. For example, jenkins-cli.jar is available through an unprotected URL, and inside that jar contains both the MANIFEST.MF and pom.xml that contain the Jenkins version.
          Hide
          jvz Matt Sicker added a comment -

          After discussion with some colleagues, we've decided that adding a servlet filter to ESS would work well enough to implement this feature as requested even though it can't remove the version number from other places.

          Show
          jvz Matt Sicker added a comment - After discussion with some colleagues, we've decided that adding a servlet filter to ESS would work well enough to implement this feature as requested even though it can't remove the version number from other places.
          Show
          jvz Matt Sicker added a comment - New PR: https://github.com/jenkinsci/extended-security-settings-plugin/pull/9
          Hide
          jvz Matt Sicker added a comment -

          Merged to master. Will be released in 1.2.

          Show
          jvz Matt Sicker added a comment - Merged to master. Will be released in 1.2.
          Hide
          jvz Matt Sicker added a comment -

          Released to the update center. This also updates the plugins.jenkins.io page to use the readme which has far better info about the plugin than the wiki page did.

          Show
          jvz Matt Sicker added a comment - Released to the update center. This also updates the plugins.jenkins.io page to use the readme which has far better info about the plugin than the wiki page did.

            People

            Assignee:
            jvz Matt Sicker
            Reporter:
            waffel Thomas Wabner
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: