To comment on these and say why it is silly. Jenkins uses a standard `Last-Modified` header on all static content. Jenkins allows access to static content without authentication (because many pages are served that do not need authentication by design (UnprotectedRootAction)) The last modified of the static content will be when the war was last unpacked (which will not tell you the version but tell you it is at least X days/months old (you can not unpack a version of Jenkins before it exists!) You also can look at the hashes of all the static content and compare them to what is in every release. The static content does not change with every release but it does change. Using that information you can then fudge a version for between X and Y. The reason people want to hide this is to avoid "targeted attacks" and scanners report this as "advertising a version". But most attacks are not targeted they just try the attack regardless. How many people have looked at server access logs for a Linux http server and seen windows only attacks. You also see attacks for Jenkins regardless of if you are patched or not. The only way to be safe is to upgrade your software when you are notified of security issues. infact having a version number exposed can help you do this by easily finding systems that have not upgraded on your network and so you can take steps to get them upgraded or made safe (such as switching off a port on a switch if you can not identify an owner) |