httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Bloom" <...@covalent.net>
Subject RE: cvs commit: httpd-2.0/docs/error/include bottom.html
Date Sat, 15 Jun 2002 23:56:55 GMT
> From: Aaron Bannert [mailto:aaron@clove.org]
> 
> On Sat, Jun 15, 2002 at 11:02:18AM -0400, Joshua Slive wrote:
> > rbb@apache.org wrote:
> > >rbb         2002/06/15 00:01:25
> > >
> > >  Modified:    docs/error/include bottom.html
> > >  Log:
> > >  Comment out the SERVER_STRING variable from our default error
> documents.
> > >  Some people do not like having this information in their error
pages,
> and
> > >  it makes sense to not do it by default.  If users want this back,
> they
> > >  can uncomment it.
> > >
> > >  PR:	9319
> >
> > Personally, I think this is silly.  The server signature on error
pages
> > is there for a good reason: helping people debug problems,
especially
> > with requests that pass through proxies, etc.
> 
> I agree, and the same logic above applies in reverse:
> 
> If an admin doesn't want to reveal the server string in the
> error document, they can remove that part themselves.

With one major difference.  We provide server configuration directives
to stop this stuff from being displayed.  Whether they are correct or
not, many admins do believe that they are improving security by not
exposing this information.  The problem is that you can change the
config and not affect the default error pages that we ship.  If you want
to get the information, then it is easy to add back.

However, I would simply suggest that the default error documents should
not be included in the default config.  Include the files, comment the
config, and this issue goes away.  As things stand right now, most
admins have no clue that we have replaced the default Apache error
documents which is why putting information that they _may_ want to keep
private in them is completely wrong.

Ryan



Mime
View raw message