httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kutschker <>
Subject RE: Removing Server: header
Date Thu, 27 Mar 2003 09:12:42 GMT
Date: Wed, 26 Mar 2003 15:30:53 -0500
From: "Brass, Phil (ISS Atlanta)" <>

> OK, so given that Date and Last-Modified are required response headers
> and everybody pretty much hates the idea of removing them, and that
> removing the Server header amounts to nothing more than security by
> obscurity, is anybody still interested in seeing a patch that offers a
> ServerTokens value of None and strictly prevents the addition of the
> Server: header to the response? If so I'd be happy to do it.

Removing the server header won't hurt.

Perhaps you could try to make the ordering od the added headers quasi random. I don't know
how much room the RFC lets you to use a quasi random formatting of the headers's values.

Your casual wannabe hacker will be confused (or his script). But I don't think that this simple
obscuring scheme will block any serious attack.


PS: Some HTTP clients fake theri identity. Why not lie on the server side. Add a fake Server
header on a random basis. Now we're an IIS, the next moment we're a Zeus :-) 

View raw message