如何隐藏"ln"和"v"表示PrimeFaces资源的与实现/版本相关的参数 [英] How to hide "ln" and "v" implementation/version related parameters for PrimeFaces resources
问题描述
我在我的应用程序中使用了primefaces和primefaces-extensions.对于每个资源(例如.css和.js文件),在该资源的GET请求中也有一个"ln"和"v"查询参数,如下所示:
I'm using primefaces and primefaces-extensions in my application. For each and every resources like .css and .js files there's also an "ln" and "v" query parameters in the GET request for that resource, like below:
primefaces-extensions.js?ln=primefaces-extension&v=6.1
validation.js?ln=primefaces&v=6.1
出于安全考虑,由于这些参数显示了我正在使用的框架的确切版本,因此如何隐藏它们?
As a security concern, since these parameters shows the exact version of the framework I'm using, how can I hide them?
推荐答案
隐藏'ln'是没有用的,因为只需花费很少的精力,您就可以从javascript文件和页面('PF()到处都是)
Hiding the 'ln' is kind of useless since with a very small amount of effort, you can get the same information from the javascript files and the source of the page too ('PF() is all over the place)
但是'v'是一个稍微不同的问题.如果您使用未修改的PF源,则隐藏它也是没有用的,因为不费吹灰之力(创建哈希),可能的黑客就可以下载您的源,创建哈希并将生成的哈希与可以轻松创建的字典进行比较现有PrimeFaces来源,然后知道您使用哪个版本.因此,这里要做的唯一一件事就是通过对源代码进行一些细微的修改来修改源代码,以使其不出现已知或可比较的"哈希值(添加空白应该已经有所帮助).
The 'v' however is a slightly different issue. If you use the non-modified PF source, hiding it is sort of useless too since with very little effort (creating a hash) the possible hackers can download your sources, create a hash and compare the resulting hashes with a dictionary they can easily create of existing PrimeFaces sources and then know which version you use. So the only thing to do here is to modify the source to have it not turn up 'known or comparable' hashes by making some slight modifications (adding whitespace should already help).
但是,如果您确实希望不显示版本,则可以下载PrimeFaces源,并用一些带数字的编号替换版本信息,然后构建该自定义版本.请记住,如果您不对源代码进行任何更改,则上面提到的词典查找仍在起作用.因此,这对黑客来说只是一个小小的麻烦.
But if you really want the version not to be show, you can download the PrimeFaces sources and replace the version info with some ofuscated number and build that custom version. Keep in mind that if you don't make any changes in the sources, the dictionary lookups mentioned above are still working. So it is only some minor inconvenince for hackers.
这篇关于如何隐藏"ln"和"v"表示PrimeFaces资源的与实现/版本相关的参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
