httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rbo...@apache.org
Subject cvs commit: httpd-docs-1.3/htdocs/manual/misc FAQ-E.html
Date Sun, 30 Jun 2002 20:09:18 GMT
rbowen      2002/06/30 13:09:18

  Modified:    htdocs/manual/misc FAQ-E.html
  Log:
  Added FAQ about modifying the Server: response header.
  
  Revision  Changes    Path
  1.20      +52 -1     httpd-docs-1.3/htdocs/manual/misc/FAQ-E.html
  
  Index: FAQ-E.html
  ===================================================================
  RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/misc/FAQ-E.html,v
  retrieving revision 1.19
  retrieving revision 1.20
  diff -u -r1.19 -r1.20
  --- FAQ-E.html	26 Jun 2002 02:24:18 -0000	1.19
  +++ FAQ-E.html	30 Jun 2002 20:09:18 -0000	1.20
  @@ -144,6 +144,8 @@
            <li><a href="#options">Why do my Options directives not have
            the desired effect?</a></li>
   
  +         <li><a href="#serverheader">How can I change the information
  +         that Apache returns about itself in the headers?</a><li>
   
           </ol>
         </li>
  @@ -801,6 +803,55 @@
            <code>&lt;Directory&gt;</code> section.</p>
   
          <hr /></li>
  +
  +
  +       <li><a id="serverheader" name="servername"><strong>How can I change
  +       the information that Apache returns about itself in the
  +       headers?</strong></a>
  +
  +    <p>When a client connects to Apache, part of the information returned in
  +    the headers is the name "Apache" Additional information that can be sent
  +    is the version number, such as "1.3.26", the operating system, and a
  +    list of non-standard modules you have installed.</p>
  +
  +    <p>For example:</p>
  +
  +<blockquote><code>
  +Server: Apache/1.3.26 (Unix) mod_perl/1.26
  +</code></blockquote>
  +
  +    <p>Frequently, people want to remove this information, under the mistaken
  +    understanding that this will make the system more secure. This is
  +    probably not the case, as the same exploits will likely be attempted
  +    regardless of the header information you provide.</p>
  +
  +    <p>There are, however, two answers to this question: the correct answer,
  +    and the answer that you are probably looking for.</p>
  +
  +    <p>The correct answer to this question is that you should use the
  +    ServerTokens directive to alter the quantity of information which is
  +    passed in the headers. Setting this directive to <code>Prod</code> will
  +    pass the least possible amount of information:</p>
  +
  +<blockquote><code>
  +Server: Apache
  +</code></blockquote>
  +
  +    <p>The answer you are probably looking for is how to make Apache lie 
  +    about what what it is, ie send something like:</p>
  +
  +<blockquote><code>
  +Server: Bob's Happy HTTPd Server
  +</code></blockquote>
  +
  +    <p>In order to do this, you will need to modify the Apache source code and
  +    rebuild Apache. This is not advised, as it is almost certain not to
  +    provide you with the added security you think that you are gaining. The
  +    exact method of doing this is left as an exercise for the reader, as we
  +    are not keen on helping you do something that is intrinsically a bad
  +    idea.</p>
  +
  +    <hr /></li>
   
       </ol>
       <!--#endif -->
  
  
  

Mime
View raw message