If an open source web application is publishing the version via a public, non-access controlled API/Header, is it considered a security issue?
The premise of the question is that, if a particular version had a vulnerability which was fixed in a later release, attackers could target the vulnerable version if it is public.
This is similar to other web servers (like nginx, express) etc setting a header like X-Powered-By: Express/1.0.
It's generally considered an unnecessary risk, yes. There is no need to make things easy for the automated vuln scanners or worms, much less an intelligent attackers. Legit users have no use for the information, developers / sysadmins can examine the server or connect to some internal-only diagnostic page with more info, and you'll save a smidgen of bandwidth to boot.
Hiding your server’s version information would be a form of security by obscurity. Sure it won’t hurt, but I would not really consider it a security issue.
An attacker can easily try hundreds of known vulnerabilities against your service in a matter of minutes. In this case, hiding the version, or even the name of the service, does nothing since the attacker is trying everything already. In general, you should always assume an attacker knows your entire technology stack.
Of course, the best solution is to have policies and methods in place to prevent running services with known exploits in the first place. I still disable it if I can, when I’m running these services. Maybe it will save a few megs of bandwidth at scale.
