httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Bloom" <>
Subject RE: cvs commit: httpd-2.0/docs/error/include bottom.html
Date Wed, 19 Jun 2002 21:20:04 GMT
> From: Aaron Bannert []
> On Sat, Jun 15, 2002 at 07:01:25AM -0000, wrote:
> > rbb         2002/06/15 00:01:25
> >
> >   Modified:    docs/error/include bottom.html
> >   Log:
> >   Comment out the SERVER_STRING variable from our default error
> documents.
> >   Some people do not like having this information in their error
> and
> >   it makes sense to not do it by default.  If users want this back,
> >   can uncomment it.
> I'm sorry to have to revisit this, but I'm going to have to -1 this
> whole thing. I don't want to have to go and enable all of my error
> docs just because some admins believe it exposes them to risk,
> which of course is total bunk.

This argument is complete bunk.  The problem is simple.  We provide a
directive that disables showing server information in the error log.
With the default for our custom logs being to show that information, it
is completely non-intuitive that if I disable the feature in the config
file the error docs will ignore that config.

Simply by principle of least astonishment, the default should be the
most restrictive, so that people who decide to be the most restrictive
won't have to go changing things.

I would also remind you that there are people on this list who run major
servers who _don't_ give out version information.  That may be because
their company demands it, or it may be because they believe it is more
secure.  It really doesn't matter.

Having the information in the error pages by default is bogus.  Either
add another variable, or leave it out.  Adding it back in completely is
completely wrong.


View raw message