httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <mar...@apache.org>
Subject Better privacy with SERVER_SIGNATURE
Date Tue, 16 Oct 2001 09:41:39 GMT
A customer here at the Systems2001 asked why the $SERVER_SIGNATURE
always contained the apache version number, even when a restriction
was configured like
  ServerTokens ProductOnly

IMO he is right: if the apache administrator expresses her wish that
clients only see the server software ("Apache") but not its version
number ("Apache/1.3.22"), then it is silly if you can bypass this
restriction by having apache create a "server generated" page like
Error page, Directory index etc.

The following patch addresses this concern. If "ServerTokens Prod"
is configured, it suppresses the version number.

It does not, however, track the other possible settings of the
ServerTokens directive (Full, Minimal, ...).

I considered using a modification of the ServerSignature directive
instead. Currently we have
   ServerSignature Off|On|EMail
but we would need an additional degree of configurability, like:
   ServerSignature Off|Short|ShortWithEMail|Long|LongWithEMail
where On == Long and EMail == LongWithEMail, or two words
   ServerSignature Empty|Short|Long  NoMailtoLink|AddMailtoLink
(just an example. Imply backward compatible keywords)

Which solution do you prefer:
a) automatic coupling with ServerTokens?
b) Separate configuration by new keywords for ServerSignature?

   Martin

Mime
View raw message