This discussion is archived
5 Replies Latest reply: Dec 21, 2012 11:53 PM by jariola RSS

Why APEX 4.2 shows version number as parameter for static files?

jariola Guru
Currently Being Moderated
Hi,

I just wonder why APEX 4.2 use detail version number as parameter for static files when you view page source, like
<link type="text/css" href="/i/css/apex.min.css?v=4.2.1.00.08" rel="stylesheet">
I know what is idea behind this parameter,
but why use detail version number?

Some "paranoid" might start argue it is not secure expose version number of software you running on server for public.
Hackers might use that information e.g. if there is known security bugs in software.

Also what is idea have apex_version number.txt among APEX image and other files?

Regards,
Jari
-----
My Blog: http://dbswh.webhop.net/htmldb/f?p=BLOG:HOME:0
Twitter: http://www.twitter.com/jariolai
  • 1. Re: Why APEX 4.2 shows version number as parameter for static files?
    Andreas Wismann Explorer
    Currently Being Moderated
    The detailed version number prevents browsers from caching these files. An upcoming (minor) release might need to alter some of the file content and will therefore just increment the file's subrelease number. If it wasn't that detailed, you'd have to tell your users to "please empty your browser cache".

    By the way, version numbers in stylesheet files don't bother hackers much because, well,
    a) even if it's an extremely pretty stylesheet, it's still only a stylesheet and
    b) you could read it anyway :-)

    A merry christmas to all of you, seems we have almost made it through december 21st today.
  • 2. Re: Why APEX 4.2 shows version number as parameter for static files?
    Arie Geller Guru
    Currently Being Moderated
    Hello,

    >> The detailed version number prevents browsers from caching these files …

    Your intension is correct, but your phrasing is a bit off. These files will be cached by the browser, and the cache will be used as long as the URL remains the same. So, no impact on performance due to the use of this parameter. Only after future changes in the URL – by changing the detailed version number – the browser will clear the current file cache, reread the new file, and caches the new version.

    Regards,
    Arie.

    -------------------------------------------------------
    &diams; Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.

    &diams; Author of Oracle Application Express 3.2 – The Essentials and More
  • 3. Re: Why APEX 4.2 shows version number as parameter for static files?
    jariola Guru
    Currently Being Moderated
    Hi,

    Thank you for answers. As I did try explain with my very bad English, I know why there is that "parameter"/"value" end of e.g. CSS file URL.
    And I'm not worry that someone reads my APEX css files source.

    Why that value is version number? Everybody knows your APEX version when view page source.
    Lets say there is bug in session state protection e.g. APEX version xxxxx.
    "Hacker" knowing version number and possible security bugs, might attack your application.

    Regards,
    Jari
    -----
    My Blog: http://dbswh.webhop.net/htmldb/f?p=BLOG:HOME:0
    Twitter: http://www.twitter.com/jariolai
  • 4. Re: Why APEX 4.2 shows version number as parameter for static files?
    Patrick Wolf Employee ACE
    Currently Being Moderated
    Hi Jari,

    for a hacker it's no problem to identify which APEX version you are using. He just has to generate the hash value for one of our external files which are changed in each release (like desktop_all.min.js). After he does have a hash for each APEX version he just has to request that file from your system and generating a comparison hash. So trying to hide a version number is just security by obfuscation which isn't really secure.

    As already outlined by others, the included version number as parameter allows to greatly improve the performance of your app, because it allows to add a cache expiry header for those files with a expiry date = never. And you will still get the new file as soon as a patch set / release is installed on your system without having to tell your users to clear caches (which we often had the problem in the past on apex.oracle.com).

    Regards
    Patrick
    -----------
    My Blog: http://www.inside-oracle-apex.com
    APEX Plug-Ins: http://apex.oracle.com/plugins
    Twitter: http://www.twitter.com/patrickwolf
  • 5. Re: Why APEX 4.2 shows version number as parameter for static files?
    jariola Guru
    Currently Being Moderated
    Hi,

    Thanks

    Regards,
    Jari
    -----
    My Blog: http://dbswh.webhop.net/htmldb/f?p=BLOG:HOME:0
    Twitter: http://www.twitter.com/jariolai

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points