httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@hyperreal.org>
Subject security implications of 'Server:'
Date Sat, 09 May 1998 00:12:18 GMT
At 05:42 PM 5/8/98 -0600, you wrote:
>I don't think it is a "good" idea, but I can find no security objections
>to it and can find more than one helpful debugging purpose.

I agree.  And as for the HTTP standard, the only thing I can find which
seems relevant is:

15.1.2:
| Revealing the specific software version of the server may allow the
| server machine to become more vulnerable to attacks against software
| that is known to contain security holes. Implementers SHOULD make the
| Server header field a configurable option.

which we of course (by virtue of source) do.

	Brian

p.s. - Marc, Roy's not on new-httpd, just apache-core, so he probably
didn't see your response.

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction                                  brian@apache.org
                                                        brian@hyperreal.org

Mime
View raw message