Today, I noticed that Angular adds its version information in the app-root as following:
<app-root _nghost-c0="" ng-version="5.2.0">
And even when I build in the production environment, it seems to be present. I don't know what's the main goal for adding that information there ? Isn't it a security issue to show the angular version publicly ? Thanks
It's an old question, but still relevant and the accepted answer could be misleading. According to Miško Hevery: "This is there intentionally, so that tools such an augury, can detect that it is an angular page and can provide useful UI."
It is not a security issue in itself, but hiding it isn't "security by obscurity" either, as that would mean that's all the security measures you take. In fact using obscurity is a good practice as it makes information gathering (recon) harder for the attacker, but one must never rely on this alone.
Angular uses this attribute to tag the element that was used to bootstrap the application.
See also https://github.com/angular/angular/commit/a4de214e2be5048f1261d043cc467a5ecaa5c909
Hiding it would only be security by obscurity which is not security.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With