Small potential security issue: don't show version number by default in browsable API · Issue #3878 · encode/django-rest-framework (original) (raw)

I'm creating this issue simply to discuss this change. If this isn't the appropriate or the best place for this discussion, please feel free to close it.

The Santy worm spread worldwide within a mere three hours of its release. It found vulnerable instances of PHPBB by automatically googling for version strings of vulnerable versions - eg: "Powered by PHPBB v2.3.0".

Since the browsable API can be browsed by robots if users don't set their robots.txt up properly, we may want to consider not displaying the version string of DRF (eg: "Django REST framework v 3.3.2" - the bold part) in the rest_framework/base.html default template. Keeping the "Django REST framework" branding is fine, I'm just advocating for removing the DRF version string. This would prevent Santy-style discovery of vulnerable versions of DRF if there are other security flaws in DRF. This does not mean that DRF is currently vulnerable because it's showing its version, this change simply makes the worst case scenario less worse.

If users absolutely want the version string to be displayed they can simply override the rest_framework/base.html template to include <span class="version">{{ version }}</span>.

This change is small, it improves the security posture of DRF (by default), it has a very low likelihood of interfering with any existing use cases of DRF, and it is trivially reverted by users if it does end up interfering with their use case.

I'm of the opinion that the default settings for software should be reasonably secure, to decrease the amount of work users have to do to secure things down. This change is so small and easy that I think it is a reasonable change to make.

Note that this has absolutely nothing to do with API versioning - that's an entirely different and independent thing.