httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Lopez <dan...@rawbyte.com>
Subject Re: cvs commit: httpd-2.0/modules/http http_protocol.c
Date Fri, 22 Mar 2002 19:22:04 GMT

> > minfrin     02/03/22 10:34:46
> >
> >   Modified:    .        CHANGES
> >                modules/http http_protocol.c
> >   Log:
> >   When a proxied site was being served, Apache was replacing
> >   the original site Server header with it's own, which is not
> >   allowed by RFC2616. Fixed.
> 
> This may be my imagination, but won't this allow any module (or even cgi
> script) to set the Server header and override the default one.  Do we want
> this?  (I'm undecided, but it is a significant change from previous
> behavior.)

Agree, it should be an option at least. There are certain instances where
you may want to prevent the original server header from being exposed, to
avoid information leaking. For example if you are load balancing IIS servers
or specific application server versions.

Daniel

Mime
View raw message