[Feature] be able to hide the next version

[MTroian94]

Link to the code that reproduces this issue

https://github.com/MTroian94/next-version-window

To Reproduce

1. Build the application (pnpm run build)
2. Start the production server (pnpm run start)
3. Open the browser and visit the page
4. Open the browser console
5. window.next shows the actual version

Current vs. Expected behavior

Following the steps from the previous section, I expected to see the next version in window.next

Provide environment information

Operating System:
  Platform: darwin
  Arch: x64
  Version: Darwin Kernel Version 22.6.0: Wed Jul  5 22:21:56 PDT 2023; root:xnu-8796.141.3~6/RELEASE_X86_64
  Available memory (MB): 16384
  Available CPU cores: 12
Binaries:
  Node: 20.9.0
  npm: 10.1.0
  Yarn: 1.22.19
  pnpm: 9.1.2
Relevant Packages:
  next: 15.0.3-canary.9 // Latest available version is detected (15.0.3-canary.9).
  eslint-config-next: N/A
  react: 19.0.0-rc-66855b96-20241106
  react-dom: 19.0.0-rc-66855b96-20241106
  typescript: 5.3.3
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Not sure

Which stage(s) are affected? (Select all that apply)

next build (local)

Additional context

These discussions:

• How to hide next.js version from tools like Wappanalyzer #68058
• How to remove nextjs version information #39488

show how to hide the Next.js version by modifying the built code. Is it possible to hide the Next.js version using the configuration in the next.config.js file? Setting poweredByHeader to false is not enough.

This is still a potential security issue for apps using Next.js, as attackers can see which Next.js version is used and potentially find exploits for that particular version.

Thank you!

[samcx]

@MTroian94 Moving this to discussions since this is a feature request. Let me discuss this with the team and get back to you!

[samcx]

@MTroian94 This was discussed to lengths in the team and it was decided that hiding the Next.js version does not realistically increase security (e.g., React itself does not hide the version).

[MTroian94]

Ok, thank you and best regards!

[mnahkies]

@samcx I think that NextJS being an actual server rather than client side renderer should have a bearing here. This gets flagged to us every time we do a pentest.

Whilst hiding the version information is somewhat security by obscurity, it does slightly raise the difficulty of drive-by exploits, and unless there is a technical reason it needs to be present it would seem sensible to omit it.

ref: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework

[mnahkies]

To add a little more colour to this, there have been a reasonable number of CVEs against next recently, such as https://vercel.com/blog/postmortem-on-next-js-middleware-bypass

Exposing version information makes it much easier to scan for potentially vulnerable sites.

Arguably you can probably still fingerprint the client side portion of the code to guess the version, but it's not as trivial as being handed the version number.

[pnalepa-bishopfox]

I believe it should be possible to hide the version number to avoid potential issues mentioned by @mnahkies