httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eibner <tho...@stderr.net>
Subject Re: Better privacy with SERVER_SIGNATURE
Date Wed, 17 Oct 2001 05:04:10 GMT
On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote:
> On Tue, Oct 16, 2001 at 02:41:39AM -0700, Martin Kraemer wrote:
> > A customer here at the Systems2001 asked why the $SERVER_SIGNATURE
> > always contained the apache version number, even when a restriction
> > was configured like
> >   ServerTokens ProductOnly
> > 
> > IMO he is right: if the apache administrator expresses her wish that
> > clients only see the server software ("Apache") but not its version
> > number ("Apache/1.3.22"), then it is silly if you can bypass this
> > restriction by having apache create a "server generated" page like
> > Error page, Directory index etc.
> 
> Why not just fix it so that ServerTokens Prod[uctOnly] influences what
> the enviroment variable SERVER_SIGNATURE contains and then leave it by
> that?

Or just use ServerSignature Off to get rid of it showing up at all?

*grmbl for replying to my own post*

-- 
  Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
  mod_pointer <http://stderr.net/mod_pointer> 


Mime
View raw message