Problem/Motivation

X-Generator header provides a way to know whether a site is Drupal or not and version. While this is useful for search engine other auditing purposes, this could be used by attackers to target Drupal sites. There are modules(1) and blog posts/issues (link 1, link 2, link 3, link 4) to remove this header.

Proposed resolution

we could we have an option in core which allows to remove this header and we can have it on by default?

Remaining tasks

Discuss

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

Issue fork drupal-3035537

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

vijaycs85 created an issue. See original summary.

vijaycs85’s picture

vijaycs85
Location London, UK
commented
Title: Provide an option to hide X-Generator Header » Provide an option to hide X-Generator header & meta tag.
Issue summary: View changes
vijaycs85’s picture

vijaycs85
Location London, UK
commented
Issue summary: View changes
vijaycs85’s picture

vijaycs85
Location London, UK
commented
Title: Provide an option to hide X-Generator header & meta tag. » Provide an option to hide X-Generator header
Issue summary: View changes

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

edmonkey’s picture

edmonkey commented

Just posting this module, as is specific for this requirement/problem.
https://www.drupal.org/project/remove_http_headers

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

catch’s picture

catch
he/him
Primary language English
commented

We don't consider fingerprinting information a security issue usually, although this doesn't necessarily mean that it shouldn't be possible to switch off some of the headers Drupal adds.

Just adding to this issue that someone reported to security.drupal.org that the Drupal version is also discoverable via the installer. This was cleared to be in the public queue and this seems like an appropriate issue to mention on.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

prudloff’s picture

prudloff commented

I don't think we should push security by obfuscation.
However, I am wondering if this non-standard header is really useful. I googled it and I could not find any usage outside of Drupal.
Do we know if some clients are consuming it?

The header was added in #275092: Add fingerprinting META Generator and HTTP headers for Drupal.

(The generator meta tag is standard and contains the same information.)

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

It's possible to make a header request that consumes significantly less bandwidth if someone were spidering for Drupal sites at scale. That said, since it's not standard this is not a reliable way to determine Drupal vs other systems.

prudloff’s picture

prudloff commented

This can indeed be used to find a list of Drupal websites: https://publicwww.com/websites/%22X-Generator%3A+Drupal%22/

prudloff’s picture

prudloff commented

Do we have a way to deprecate ResponseGeneratorSubscriber? Or should we simply remove it?

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.