Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 16049 invoked by uid 500); 17 Oct 2001 04:34:19 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 16038 invoked from network); 17 Oct 2001 04:34:18 -0000 Date: Wed, 17 Oct 2001 06:35:27 +0200 From: Thomas Eibner To: dev@httpd.apache.org Subject: Re: Better privacy with SERVER_SIGNATURE Message-ID: <20011017063527.A24198@io.stderr.net> References: <20011016024139.A17976@icarus.apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011016024139.A17976@icarus.apache.org>; from martin@apache.org on Tue, Oct 16, 2001 at 02:41:39AM -0700 Organisation: Stderr.Net - coming soon with an error near you X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Tue, Oct 16, 2001 at 02:41:39AM -0700, Martin Kraemer wrote: > A customer here at the Systems2001 asked why the $SERVER_SIGNATURE > always contained the apache version number, even when a restriction > was configured like > ServerTokens ProductOnly > > IMO he is right: if the apache administrator expresses her wish that > clients only see the server software ("Apache") but not its version > number ("Apache/1.3.22"), then it is silly if you can bypass this > restriction by having apache create a "server generated" page like > Error page, Directory index etc. Why not just fix it so that ServerTokens Prod[uctOnly] influences what the enviroment variable SERVER_SIGNATURE contains and then leave it by that? I don't like the idea of people being able to change the server signature to something like "AnythingGoes/1.0", 'cause there is really no product called that, if it's Apache, it should say Apache or not say anything at all. And the disguising of the OS doesn't really matter either since there are other ways of figuring out what OS you're running. If people can't figure out how to patch the source to show up another name than Apache they really shouldn't be messing with it (IMHO). Is there a really good reason why you want something other than "Apache" to show up in the Server header? Security? Keeping up with security announcements and upgrading when necessary should be enough I think. Related to this: what is it going to do to the Netcraft survey when every kid on the block starts changing the server header to "MyCoolWebserver/2.0"? my $cent = 2; -- Thomas Eibner DnsZone mod_pointer