httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eibner <>
Subject Re: Better privacy with SERVER_SIGNATURE
Date Wed, 17 Oct 2001 04:35:27 GMT
On Tue, Oct 16, 2001 at 02:41:39AM -0700, Martin Kraemer wrote:
> A customer here at the Systems2001 asked why the $SERVER_SIGNATURE
> always contained the apache version number, even when a restriction
> was configured like
>   ServerTokens ProductOnly
> IMO he is right: if the apache administrator expresses her wish that
> clients only see the server software ("Apache") but not its version
> number ("Apache/1.3.22"), then it is silly if you can bypass this
> restriction by having apache create a "server generated" page like
> Error page, Directory index etc.

Why not just fix it so that ServerTokens Prod[uctOnly] influences what
the enviroment variable SERVER_SIGNATURE contains and then leave it by

I don't like the idea of people being able to change the server
signature to something like "AnythingGoes/1.0", 'cause there is really
no product called that, if it's Apache, it should say Apache or not
say anything at all. And the disguising of the OS doesn't really matter
either since there are other ways of figuring out what OS you're 
running. If people can't figure out how to patch the source to show
up another name than Apache they really shouldn't be messing with it

Is there a really good reason why you want something other than "Apache"
to show up in the Server header? Security? Keeping up with security
announcements and upgrading when necessary should be enough I think.

Related to this: what is it going to do to the Netcraft survey when
every kid on the block starts changing the server header to 

my $cent = 2;

  Thomas Eibner <> DnsZone <>
  mod_pointer <> 

View raw message