httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: cvs commit: httpd-2.0/docs/error/include bottom.html
Date Sat, 15 Jun 2002 15:02:18 GMT
rbb@apache.org wrote:
> rbb         2002/06/15 00:01:25
> 
>   Modified:    docs/error/include bottom.html
>   Log:
>   Comment out the SERVER_STRING variable from our default error documents.
>   Some people do not like having this information in their error pages, and
>   it makes sense to not do it by default.  If users want this back, they
>   can uncomment it.
>   
>   PR:	9319

Personally, I think this is silly.  The server signature on error pages 
is there for a good reason: helping people debug problems, especially 
with requests that pass through proxies, etc.

My opinion is that we should do one or both of the following:

- Comment out the multi-lingual error messages in the default config.  I 
think these are great to have, and I recommend that everyone use them, 
but they use a bunch of features that aren't used anywhere else in the 
default install, and therefore open many potential security problems.

- Add a ServerSignature CGI environment variable that we can test on in 
the error pages and deliver the appropriate content.

Joshua.





Mime
View raw message