httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodent of Unusual Size <Ken.C...@Golux.Com>
Subject Server: response header field and ServerTokens again
Date Thu, 17 Feb 2000 12:29:33 GMT
According to some mail I've been getting, at least one online
'security' consultancy <http://www.icsa.net/> is telling their
customers that their Web servers need to omit the Server field
from the response header, or at least any version information
from it.  This is to avoid helping crackers go directly to
version-specific exploits.  (Their specific instructions to
customers describing how to change the field setting for Apache
are laughable, but..)  Apparently some Web customers are requiring
'ICSA compliance,' which means making their Web service providers
make this happen.

I'm not in favour of omitting the field altogether, but is it
worthwhile to add something like "ServerTokens ProductOnly"
so that the field look like only "Server: Apache"?  2616
permits this; the product-version portion is optional.

Of course, a cracker is going to try *all* the known exploits,
not just some that seem to apply to a specific version, so
the *need* for this is infinitesmal at best.  But would adding
this do any harm?  It would avoid non-developer Apache people
having to hack/rebuild the source, or possibly moving to another
server just to satisfy their customers..  we *are* supposed to
be the most featureful server. ;->
-- 
#ken    P-)}

Ken Coar                    <http://Golux.Com/coar/>
Apache Software Foundation  <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>

Come to the first official Apache Software Foundation
Conference!  <http://ApacheCon.Com/>

Mime
View raw message