httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Server: response header field and ServerTokens again
Date Thu, 17 Feb 2000 12:29:02 GMT
I see no reason not to extend ServerTokens as required.

Rodent of Unusual Size wrote:
> According to some mail I've been getting, at least one online
> 'security' consultancy <> is telling their
> customers that their Web servers need to omit the Server field
> from the response header, or at least any version information
> from it.  This is to avoid helping crackers go directly to
> version-specific exploits.  (Their specific instructions to
> customers describing how to change the field setting for Apache
> are laughable, but..)  Apparently some Web customers are requiring
> 'ICSA compliance,' which means making their Web service providers
> make this happen.
> I'm not in favour of omitting the field altogether, but is it
> worthwhile to add something like "ServerTokens ProductOnly"
> so that the field look like only "Server: Apache"?  2616
> permits this; the product-version portion is optional.
> Of course, a cracker is going to try *all* the known exploits,
> not just some that seem to apply to a specific version, so
> the *need* for this is infinitesmal at best.  But would adding
> this do any harm?  It would avoid non-developer Apache people
> having to hack/rebuild the source, or possibly moving to another
> server just to satisfy their customers..  we *are* supposed to
> be the most featureful server. ;->
> -- 
> #ken    P-)}
> Ken Coar                    <http://Golux.Com/coar/>
> Apache Software Foundation  <>
> "Apache Server for Dummies" <http://Apache-Server.Com/>
> Come to the first official Apache Software Foundation
> Conference!  <http://ApacheCon.Com/>

   Jim Jagielski   [|]   [|]
                "Are you suggesting coconuts migrate??"

View raw message