Option / Parameter to Hide versioning information

Hi,

Is there a way to hide the vault’s versioning information from all the possible “public” vault’s places, like the versioning information in the UI (at the bottom there is a banner like © 2021 HashiCorp Vault 1.4.0 Upgrade to Vault Enterprise Documentation) or from the API endpoints /v1/sys/health and /v1/sys/seal-status which also return a “version” key.

Impact
The disclosure of version or system information allows an attacker to conduct a selective search in vulnerability databases. The obtained information can then be used as a basis for attacks.
Recommendation
It is recommended not to disclose any information about the system or available services. Such information should be removed from banners.

Thanks a lot,

Not a bad idea, however, usually you don’t want your Vault API open to the world.
If you require that, it might be useful to put a LB or proxy (ie, nginx) ahead of it to route certain things like health and certain paths only for authenticated (ie, bearer token or other org access) requests.

As for a change to allow this, you might get more :eyes: on it with a GH issue.

1 Like