Contrib.social

Provide an option to hide X-Generator header

Open on Drupal.org →
Created on 25 February 2019, over 6 years ago
Updated 19 May 2025, 18 days ago

Problem/Motivation

X-Generator header provides a way to know whether a site is Drupal or not and version. While this is useful for search engine other auditing purposes, this could be used by attackers to target Drupal sites. There are modules( 1 ) and blog posts/issues (link 1, link 2 , link 3 Remove Generator meta tag from output Closed: works as designed , link 4) to remove this header.

Proposed resolution

we could we have an option in core which allows to remove this header and we can have it on by default?

Remaining tasks

Discuss

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

📌 Task
Status

Active

Version

11.0 🔥

Component

base system

Created by

🇬🇧United Kingdom vijaycs85 London, UK

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 18 days ago
    🇫🇷France prudloff Lille

    I don't think we should push security by obfuscation.
    However, I am wondering if this non-standard header is really useful. I googled it and I could not find any usage outside of Drupal.
    Do we know if some clients are consuming it?

    The header was added in #275092: Add fingerprinting META Generator and HTTP headers for Drupal .

    (The generator meta tag is standard and contains the same information.)

  • Comment 18 days ago
    🇺🇸United States greggles Denver, Colorado, USA

    It's possible to make a header request that consumes significantly less bandwidth if someone were spidering for Drupal sites at scale. That said, since it's not standard this is not a reliable way to determine Drupal vs other systems.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024