httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Re: 1.3b8
Date Thu, 28 May 1998 23:14:25 GMT
Dean Gaudet wrote:
> 
> I'd rather not have that.  I rather like the very minimal
> advertising we get from having a Server: header on all our
> servers... except for those of folks clueful enough to edit
> source anyhow.

We probably shouldn't call ourselves "fully HTTP/1.1 compliant,"
then, since being able to turn off the Server header field emission
is a SHOULD.  From RFC 2068:

>14.39 Server
>     Note: Revealing the specific software version of the server may
>     allow the server machine to become more vulnerable to attacks
>     against software that is known to contain security holes. Server
>     implementers are encouraged to make this field a configurable
>     option.

>15.4 Transfer of Sensitive Information
>    Revealing the specific software version of the server may allow
>    the server machine to become more vulnerable to attacks against
>    software that is known to contain security holes. Implementers
>    SHOULD make the Server header field a configurable option.

Personally, I'd rather be fully compliant and give our users
the ability to turn it off altogether (how many are going to?) than
have my ego stroked by the count of servers out there.  Although
it's a close call.. :->

#ken	P-)}

Ken Coar                    <http://Web.Golux.Com/coar/>
Apache Group member         <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>

Mime
View raw message