doubts regarding security

[Ultimateshado]

Good morning, I have a doubt regarding the security.
Is it possible to somehow hide information about the webserver name and version used?
I have been using HFS version 2.3 in the past and am trying to migrate to this new version due to security issues.
By pressing F12 (Use The Browser Developer Tools) you can see information that would be better not made public.
thanks to anyone who responds.

[rejetto]

at the moment there's no option for it, while it's already technically possible for an admin, by using javascript inside the "server code" option (that has the same capabilities of plugins). You can basically mess with everything the server sends.

The info is there for a reason (of course): letting plugins decide how to behave based on the version, but I agree that not everybody needs this, and i'm not even aware of anyone currently using this capability.

That been said, I can consider hiding the version, but i'm not convinced about its effectiveness.
The main reason is that you may succeed in hiding the plain version, but an attacker will always be able to detect the version by searching some string in the files that are part of the web interface (the files under /~/frontend ), as these (more or less) change with the version.

This does not apply to "simple" web servers, like nginx, because they don't have a web interface.

As an additional note, most attacks are so "cheap" that I see attempted without a care on what software is on the other end.

[Ultimateshado]

Thanks for the reply.
I am not a software developer, I take this opportunity to thank you for your work which is fantastic.
I appreciated the old versions, especially for their simple use and within the reach of even less experienced users.
I don't know javascript, I hope for a future addition of this functionality in the next versions.
I understood your reasoning, in the end if someone wants to attack, they attack you, by limiting public data such as "server:HSF" "version" you have a light approach to initial security, especially after the Remote Code Execution (RCE) of the previous ones versions.
I use HSF on my private server, not for work purposes.

[rejetto]

yes, my point is that this change would not help you like 1%, but closer to 0% 😄
of course i'm ready to listen to evidence of me being wrong on this, especially as i'm no security expert.

[Ultimateshado]

IIS also coexists on the same machine, and personally I have removed everything possible and imaginable from the IIS webconf on the Windows server I am using, when it was not possible I falsified everything.
I don't use it for business purposes, so there isn't much "serious" cybersecurity. There are no particular IDS or IPS behind it.
However, having a router in cascade with pfsense I was able to see that portscan attempts are the order of the day.
A few times I tried to run light scans using Nessus.

https://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/

(Look here, try a website with HFS here, when the server is declared what it recommends to do.)
https://securityheaders.com/

E*
server | HFS 0.5X.X-XXX

[rejetto]

(Look here, try a website with HFS here, when the server is declared what it recommends to do.)

I'm taking notes of these suggestions, but i expect them to be "nice to have" more than important.
This is the little they got with their cheap check; of course they try to sell it as important.