tl;dr Removing the VERSION reduces the available footprint that malignant actors or factors to identify flaws in code

Summary

Add a configuration option to control the verbosity of version information disclosed by the/api/v2/updatecheck endpoint, similar to Apache's ServerTokens directive. This addresses security concerns about unauthenticated disclosure of detailed backend version and Git commit information while maintaining update check functionality.

Background

Current Behavior

The/api/v2/updatecheck endpoint currently returns detailed version information to unauthenticated users:

{"current":true,"version":"v2.25.1-devel+2b14aa3ee","url":"https://github.com/coder/coder/commit/2b14aa3eecf414cf0b4bbb06a5c7f9066f80d61c"}

Security Concern

This detailed information disclosure can enable:

• Version fingerprinting: Attackers can identify exact versions and build commits
• Targeted reconnaissance: Knowledge of specific commits allows vulnerability mapping
• Development workflow insights: Exposure of internal build identifiers and CI/CD structure
• Accelerated exploitation: Direct links to source code and changelogs

Current Mitigation

The update check can be completely disabled using:

coder:env:    -name:CODER_UPDATE_CHECKvalue:"false"

However, this removes all update check functionality, which may not be desirable for administrators who want to monitor for updates while limiting information disclosure.

Proposed Solution

Configuration Option

Add--update-check-version-tokens configuration option with Apache ServerTokens-style verbosity levels:

CLI Flag:

--update-check-version-tokens=Prod

Environment Variable:

CODER_UPDATE_CHECK_VERSION_TOKENS=Prod

YAML Configuration:

updateCheckVersionTokens:Prod

Verbosity Levels

Full (Default - Current Behavior)

Maintains backward compatibility with existing behavior:

{"current":true,"version":"v2.25.1-devel+2b14aa3ee","url":"https://github.com/coder/coder/commit/2b14aa3eecf414cf0b4bbb06a5c7f9066f80d61c"}

Prod (Production-Safe)

Returns clean version without build/commit information:

{"current":true,"version":"v2.25.1","url":"https://github.com/coder/coder/releases"}

Major (Major Version Only)

Returns only major version information:

{"current":true,"version":"v2","url":"https://github.com/coder/coder/releases"}

Minimal (Repository Reference Only)

Returns minimal information with repository link:

{"url":"https://github.com/coder/coder"}

None (No Version Information)

Returns empty response or minimal structure:

{}

Implementation Considerations

Backward Compatibility

• Default behavior remainsFull to maintain existing functionality
• Existing deployments continue to work without configuration changes
• API response structure remains consistent across verbosity levels
• Do we remove the UI parts, login screen, end-user Settings visibility?

Security Benefits

• Reduced attack surface: Limits information available for reconnaissance
• Flexible security posture: Organizations can choose appropriate disclosure level
• Compliance alignment: Helps meet security requirements for minimal information disclosure

Operational Benefits

• Maintained functionality: Update checks continue to work at reduced verbosity levels
• Administrative visibility: Admins can still monitor for updates while limiting public disclosure
• Configuration flexibility: Easy to adjust based on environment requirements (dev/staging/prod)

Use Cases

Production Environments

Set toProd orMinimal to limit version disclosure while maintaining update awareness:

updateCheckVersionTokens:Prod

High-Security Environments

Set toNone to completely eliminate version information disclosure:

updateCheckVersionTokens:None

Development/Staging

KeepFull for detailed version tracking and debugging:

updateCheckVersionTokens:Full

Alternative Approaches Considered

1. Complete endpoint disabling: Already available viaCODER_UPDATE_CHECK=false but removes all functionality
2. Authentication requirement: Would break existing update check workflows
3. Response filtering: Current proposal provides granular control while maintaining API structure

References

• Apache ServerTokens: Industry standard for controlling server version disclosure
• Original Security Report: Issuechore: Add semantic pull requests #5 - Unauthenticated Disclosure of Backend Version and Git Commit
• Existing Configuration:CODER_UPDATE_CHECK environment variable
• Endpoint Documentation:/api/v2/updatecheck endpoint behavior

Acceptance Criteria

• Configuration option accepts all specified verbosity levels
• Default behavior remains unchanged (Full)
• API response structure maintained across all levels
• Documentation updated with new configuration option
• Backward compatibility preserved
• Security testing validates reduced information disclosure

Priority

Medium-High - Addresses security concerns while maintaining operational functionality. Requested by enterprise customer (Europol) for compliance requirements.