flow
flow copied to clipboard
Hide vaadin push version
Describe your motivation
Our customers regularly perform penetration tests on our web application. Right now, a malicious actor can find the Vaadin version that we use by inspecting the following element:
<script src="./VAADIN/static/push/vaadinPush-min.js?v=23.1.3"></script>
I am aware that you can determine the version in use through other means, however that would require more effort. Such a version information in plain sight will probably lead to findings in future penetration tests.
Describe the solution you'd like
We would prefer a solution that could remove this information via some configuration option or a way to supply a custom value for the query parameter (in case that the query parameter is only used for browser caching).
Additional context
We already asked about this topic in the expert chat. The expert recommended to open an issue about this so that the information could be removed or moved into some other place than a clear query string.