httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: cvs commit: httpd-2.0/docs/error/include bottom.html
Date Wed, 19 Jun 2002 21:04:25 GMT
On Sat, Jun 15, 2002 at 07:01:25AM -0000, rbb@apache.org wrote:
> rbb         2002/06/15 00:01:25
> 
>   Modified:    docs/error/include bottom.html
>   Log:
>   Comment out the SERVER_STRING variable from our default error documents.
>   Some people do not like having this information in their error pages, and
>   it makes sense to not do it by default.  If users want this back, they
>   can uncomment it.

I'm sorry to have to revisit this, but I'm going to have to -1 this
whole thing. I don't want to have to go and enable all of my error
docs just because some admins believe it exposes them to risk,
which of course is total bunk.

If an admin doesn't want to display their server version, they're going
to have to turn them off themselves, or we're going to have to provide
an easier way to do this. Hiding a variable deep in an included SSI file
is not satisfactory.

I'm not interested in any default values that encourage security by
obscurity.

-aaron

Mime
View raw message