Skip to content
  • Categories
  • Recent
  • Popular
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

NodeBB-ActivityPub Bridge Test Instance

  1. Home
  2. Categories
  3. General Discussion
  4. AP Test (community.nodebb.org)
  5. Software version in nodeinfo

Software version in nodeinfo

Scheduled Pinned Locked Moved AP Test (community.nodebb.org)
nodeinfosecurity
1 Posts 1 Posters 25 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • julian@community.nodebb.orgJ This user is from outside of this forum
    julian@community.nodebb.orgJ This user is from outside of this forum
    julian@community.nodebb.org
    wrote on last edited by
    #1

    I've noticed that the software version is shown in the NodeInfo endpoint:

    • https://mastodon.online/nodeinfo/2.0
    • https://pixelfed.social/api/nodeinfo/2.0.json

    I've always believed that displaying the software version allowed malicious users to determine which vulnerabilities affect your software.

    For example, NodeBB sends x-powered-by header, but only ever sets the value to NodeBB, this has been the case for many years.

    The other line of thinking is that relying on security by obscurity is fallacious, but since it's only one facet of a broader security posture (the rest of it being keeping up with updates, writing as secure code as you can, reporting/bounty systems, audits, etc.), I honestly don't see a problem with transmitting as little information as I can.

    The downside of hiding that information is that sites that gather statistics on fediverse software use wouldn't be able to discern software versions for NodeBB in their charts, but I don't think that's necessarily a problem.

    1 Reply Last reply
    0
    Reply
    • Reply as topic
    Log in to reply
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes


    • Login

    • Login or register to search.
    Powered by NodeBB Contributors
    • First post
      Last post
    0
    • Categories
    • Recent
    • Popular