Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All modules

prevent_version_disclosure

377 sites Security covered
View on drupal.org
Prevent Version Disclosure

This module does only one thing. It hashes the version number that is usually attached as a query parameter to the end of the src property of the script tag. There is no configuration.

  • Installed - All javascript assets will not have their version number appended to their file reference in the html source.
src="/core/assets/vendor/jquery/jquery.min.js?v=d5t4a2hC"
src="/core/assets/vendor/underscore/underscore-min.js?v=OoQsK9Dv"
src="/core/assets/vendor/once/once.min.js?v=1R5uyUBY"
  • Uninstalled - javascript asset references in the source will reveal what version they are. This is the default for Drupal.
src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"
src="/core/misc/touchevents-test.js?v=10.4.5"
src="/core/assets/vendor/backbone/backbone-min.js?v=1.6.0"

FAQs

What is "Version Disclosure"?

Version disclosure is a security term that describes what happens when software applications reveal what version of code is being used. In theory this can make it easier for bad people to do bad things. Many threat detection tools often call out findings of "Version disclosure" if they are able to easily determine what version of code is running. These are usually listed as low severity. However, they still increase the number findings in a report that should ideally have no findings.

Doesn't Drupal's javascript aggregation prevent version disclosure?

Yes, on most pages. However on Drupal's special php pages like install.php and update.php, aggregation is not applied so on these pages, javascript asset versions can be seen by simply viewing the source of the page.

Isn't this security by obscurity?

Yes it is. This is a very very minor bit of security that is equivalent to hiding your house key under the door mat instead of leaving the key in the lock. Every little bit helps or as security practitioners call it, "defense in depth".

Don't many javascript libraries have methods or other ways to declare what version they are?

Some do. That is their choice. If they decide to stop that practice, then it should be up to Drupal to keep their secrets like a trusted friend.

Is there a reason asset version disclosure is not handled by Drupal core?

In summary, it is considered so small a risk and there are other methods that attackers can use to determine what is running. It is a long thread in a Drupal issue #3518344

Do snitches get stitches?

They do have that potential, so this module tells Drupal to keep its bleepin' mouth shut.

Do loose lips sink ships?

Shiver me timbers yes!! Blatherin' deck-hands ought be keelhauled or at least have thar rum donated to the cap'n.

Similar projects

There is a similar rationale for using

Activity

Total releases
3
First release
Jun 2025
Latest release
1 week ago
Release cadence
132 days
Stability
67% stable

Release Timeline

Releases

Version Type Release date
1.0.1 Stable Feb 23, 2026
1.0.0 Stable Jun 5, 2025
1.0.x-dev Dev Jun 5, 2025