httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brass, Phil (ISS Atlanta)" <PBr...@iss.net>
Subject RE: Removing Server: header
Date Wed, 26 Mar 2003 20:30:53 GMT
OK, so given that Date and Last-Modified are required response headers
and everybody pretty much hates the idea of removing them, and that
removing the Server header amounts to nothing more than security by
obscurity, is anybody still interested in seeing a patch that offers a
ServerTokens value of None and strictly prevents the addition of the
Server: header to the response?  If so I'd be happy to do it.

Thanks in advance!

Phil

> -----Original Message-----
> From: Roy T. Fielding [mailto:fielding@apache.org] 
> Sent: Tuesday, March 25, 2003 5:39 PM
> To: dev@httpd.apache.org
> Subject: Re: Removing Server: header
> 
> 
> On Saturday, March 22, 2003, at 07:15  AM, Brass, Phil (ISS Atlanta) 
> wrote:
> > The point of stripping Date and Last-modified headers is that HTTP 
> > fingerprinting tools look at things like header order, the 
> formatting 
> > of dates and times, etc.
> 
> So change the format and order.  Stripping them is a protocol 
> violation.
> 
> > Alternately, does anybody know why the Server, Date, Accept-Ranges, 
> > Last-Modified, and other headers are put in last, after things like 
> > mod_headers run?  Perhaps a better patch would be to move the code 
> > that adds these headers to the respose earlier in the code so that 
> > users can simply use mod_headers to strip whichever ones 
> they want, or 
> > a module for randomizing header order could be written, etc.
> 
> They are put in last specifically to prevent them from being 
> randomized by buggy modules.
> 
> ....Roy
> 
> 

Mime
View raw message