Hide angular version and the package version that are used | Angular Community | Page 1

marble tapir Feb 26, 2024, 7:16 PM

#

when using a browser extension called wappalyser, the version of the angular that is used to build the application is exposed, how do i close it, there was a method using elementRef, yet it was a dud,
thanks in advance

quasi berry Feb 26, 2024, 7:41 PM

#

Wait until you discover that the code of the application and of the framework is also exposed! There's really nothing wrong with that. Why do you care?

marble tapir Feb 27, 2024, 5:15 AM

#

quasi berry Wait until you discover that the code of the application and of the framework is...

security peeps are giving a nightmare

river grove Feb 27, 2024, 5:49 AM

#

They're wasting their time. If they're worried that people are going to check the angular version before attempting to 'hack' your app, then trying to 'solve' that is just going to waste more time and effort than is worth it

#

Hiding the version number doesn't really slow down an automated attempt to exploit a CVE that's been raised against that Angular version, they're just going to script an attempt to exploit whatever it is and move on if it doesn't work in 2 seconds without bothering to check the version attribute

marble tapir Mar 5, 2024, 6:10 AM

#

river grove They're wasting their time. If they're worried that people are going to check th...

but how do we acheive it

fresh pebble Mar 5, 2024, 7:58 AM

#

https://github.com/angular/angular/issues/16283

GitHub

Remove ng-version from the DOM generated in Production Mode · Issue...

Currently the DOM generated by Angular 2 app contains ng-version as an attribute. For example : ng-version="4.0.1" Its not clear what benefit does it provide in production mode? If its no...

#

I tend to agree with what's being said tho, exposing versions in the frontend is not uncommon and I think it's the wrong focus from a security perspective. I am convinced there are other areas to focus on, and there may even more serious vulnerabilities you are subject to.

Even more so, if you are using version X, and version X is vulnerable, your focus should not be on hiding that version, but on mitigating the risk by bumping it asap. This can be done realy fast using the proper tooling such as Snyk etc.

#

If your application is using a vulnerable version of something, and you do not patch it, hiding the version wont save u anything.

#

And last but not least, not to minimize the risk, but vulnerabilities in the FE are most of the time of a different level than those in the backend.

river grove Mar 5, 2024, 8:51 AM

#

Plus when was the last time that Angular had a CVE? If there's going to be one it's way more likely to be downstream on one of the thousands of potential NPM dependencies instead, and reading that Angular says it's v26 isnt going to inform them or you one way or the other

#Hide angular version and the package version that are used