Small potential security issue: don't show version number by default in browsable API

[blag]

I'm creating this issue simply to discuss this change. If this isn't the appropriate or the best place for this discussion, please feel free to close it.

The Santy worm spread worldwide within a mere three hours of its release. It found vulnerable instances of PHPBB by automatically googling for version strings of vulnerable versions - eg: "Powered by PHPBB v2.3.0".

Since the browsable API can be browsed by robots if users don't set their robots.txt up properly, we may want to consider not displaying the version string of DRF (eg: "Django REST framework v 3.3.2" - the bold part) in the rest_framework/base.html default template. Keeping the "Django REST framework" branding is fine, I'm just advocating for removing the DRF version string. This would prevent Santy-style discovery of vulnerable versions of DRF if there are other security flaws in DRF. This does not mean that DRF is currently vulnerable because it's showing its version, this change simply makes the worst case scenario less worse.

If users absolutely want the version string to be displayed they can simply override the rest_framework/base.html template to include <span class="version">{{ version }}</span>.

This change is small, it improves the security posture of DRF (by default), it has a very low likelihood of interfering with any existing use cases of DRF, and it is trivially reverted by users if it does end up interfering with their use case.

I'm of the opinion that the default settings for software should be reasonably secure, to decrease the amount of work users have to do to secure things down. This change is so small and easy that I think it is a reasonable change to make.

Note that this has absolutely nothing to do with API versioning - that's an entirely different and independent thing.

[tomchristie]

I think that'd be a reasonable change, yup.

[ghost]

Quoted from official site

If you believe you’ve found something in Django REST framework which has security implications, please do not raise the issue in a public forum.

Send a description of the issue via email to [email protected]. The project maintainers will then work with you to resolve any issues where required, prior to any public disclosure.

[xordoquy]

I think it's fine to leave the issue here since it is not a security issue in itself but rather a better default setting for DRF.

[blag]

@vyscond: @xordoquy is correct, this isn't a security issue and public disclosure has pretty much nothing to do with this issue, so I didn't feel that was warranted.