httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@Covalent.NET>
Subject Re: 1.3b8 (fwd)
Date Fri, 29 May 1998 17:24:42 GMT
I've been somewhat absent from this debate...

I like very much the ability to add Server: info via an API call. I
strongly dislike the ability to turn it off. I understand the
desirable security issues of this however from a commercial module
vendor's point of view, the ability to turn if off is not kewl.
There probably ought to be another header emitted for installed
modules.

-Randy


Dirk-Willem van Gulik <dirk.vangulik@jrc.it> writes:
> On Thu, 28 May 1998, Rodent of Unusual Size wrote:
> 
> > > I'd rather not have that.  I rather like the very minimal
> > > advertising we get from having a Server: header on all our
> > > servers... except for those of folks clueful enough to edit
> > > source anyhow.
> > 
> > We probably shouldn't call ourselves "fully HTTP/1.1 compliant,"
> > then, since being able to turn off the Server header field emission
> > is a SHOULD.  From RFC 2068:
> 
> Yup, so we are: RFC2119. 
> 
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course.
>  
> But.. One could put a scary line in the doc's saying:
> 
> In order to ensure compliance with the HTTP/1.1 standard (as described in
> RFC2068.) you are strongly advices against chaning or turning the server
> header off. DO Consult this standard document if you do not fully
> understand the implications of making changes. 
> 
> And in fact this would be warranted; I've noticed that at least one
> firewall vendor gives apache slightly more proxy legroom that the 
> other servers.
> 
> Dw.

Mime
View raw message