httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject security implications of 'Server:'
Date Sat, 09 May 1998 00:12:18 GMT
At 05:42 PM 5/8/98 -0600, you wrote:
>I don't think it is a "good" idea, but I can find no security objections
>to it and can find more than one helpful debugging purpose.

I agree.  And as for the HTTP standard, the only thing I can find which
seems relevant is:

| Revealing the specific software version of the server may allow the
| server machine to become more vulnerable to attacks against software
| that is known to contain security holes. Implementers SHOULD make the
| Server header field a configurable option.

which we of course (by virtue of source) do.


p.s. - Marc, Roy's not on new-httpd, just apache-core, so he probably
didn't see your response.

pure chewing satisfaction                        

View raw message