Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

This module prevents the disclosure of Drupal's version number in JavaScript asset URLs. It hashes the version query parameter, making it harder for malicious actors to identify specific versions of your site's code.

Prevent Version Disclosure

This module does only one thing. It hashes the version number that is usually attached as a query parameter to the end of the src property of the script tag. There is no configuration.

  • Installed - All javascript assets will not have their version number appended to their file reference in the html source.
src="/core/assets/vendor/jquery/jquery.min.js?v=d5t4a2hC"
src="/core/assets/vendor/underscore/underscore-min.js?v=OoQsK9Dv"
src="/core/assets/vendor/once/once.min.js?v=1R5uyUBY"
  • Uninstalled - javascript asset references in the source will reveal what version they are. This is the default for Drupal.
src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"
src="/core/misc/touchevents-test.js?v=10.4.5"
src="/core/assets/vendor/backbone/backbone-min.js?v=1.6.0"

FAQs

What is "Version Disclosure"?

Version disclosure is a security term that describes what happens when software applications reveal what version of code is being used. In theory this can make it easier for bad people to do bad things. Many threat detection tools often call out findings of "Version disclosure" if they are able to easily determine what version of code is running. These are usually listed as low severity. However, they still increase the number findings in a report that should ideally have no findings.

Doesn't Drupal's javascript aggregation prevent version disclosure?

Yes, on most pages. However on Drupal's special php pages like install.php and update.php, aggregation is not applied so on these pages, javascript asset versions can be seen by simply viewing the source of the page.

Isn't this security by obscurity?

Yes it is. This is a very very minor bit of security that is equivalent to hiding your house key under the door mat instead of leaving the key in the lock. Every little bit helps or as security practitioners call it, "defense in depth".

Don't many javascript libraries have methods or other ways to declare what version they are?

Some do. That is their choice. If they decide to stop that practice, then it should be up to Drupal to keep their secrets like a trusted friend.

Is there a reason asset version disclosure is not handled by Drupal core?

In summary, it is considered so small a risk and there are other methods that attackers can use to determine what is running. It is a long thread in a Drupal issue #3518344

Do snitches get stitches?

They do have that potential, so this module tells Drupal to keep its bleepin' mouth shut.

Do loose lips sink ships?

Shiver me timbers yes!! Blatherin' deck-hands ought be keelhauled or at least have thar rum donated to the cap'n.

Similar projects

There is a similar rationale for using

Activity

Total releases
3
First release
Jun 2025
Latest release
4 months ago
Releases (12 mo)
1 ▼ from 2
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.0.1 Stable Feb 23, 2026
1.0.0 Stable Jun 5, 2025
1.0.x-dev Dev Jun 5, 2025