How to hide “ln” and “v” implementation/version related parameters for PrimeFaces resources

后端 未结 1 1269
梦毁少年i
梦毁少年i 2021-01-24 05:37

I\'m using primefaces and primefaces-extensions in my application. For each and every resources like .css and .js files there\'s also an \"ln\" and \"v\" query parameters in the

相关标签:
1条回答
  • 2021-01-24 06:23

    Hiding the 'ln' is kind of useless since with a very small amount of effort, you can get the same information from the javascript files and the source of the page too ('PF() is all over the place)

    The 'v' however is a slightly different issue. If you use the non-modified PF source, hiding it is sort of useless too since with very little effort (creating a hash) the possible hackers can download your sources, create a hash and compare the resulting hashes with a dictionary they can easily create of existing PrimeFaces sources and then know which version you use. So the only thing to do here is to modify the source to have it not turn up 'known or comparable' hashes by making some slight modifications (adding whitespace should already help).

    But if you really want the version not to be show, you can download the PrimeFaces sources and replace the version info with some ofuscated number and build that custom version. Keep in mind that if you don't make any changes in the sources, the dictionary lookups mentioned above are still working. So it is only some minor inconvenince for hackers.

    0 讨论(0)
提交回复
热议问题