httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brass, Phil (ISS Atlanta)" <PBr...@iss.net>
Subject RE: Removing Server: header
Date Sat, 22 Mar 2003 15:15:26 GMT
The point of stripping Date and Last-modified headers is that HTTP
fingerprinting tools look at things like header order, the formatting of
dates and times, etc.

The ServerTokens directive currently can at best be set to Prod, which
will cause it to return "Apache".

Anyhow, how about a patch that just allows ServerTokens to be set to
"None" and gets rid of just the Server header?

Alternately, does anybody know why the Server, Date, Accept-Ranges,
Last-Modified, and other headers are put in last, after things like
mod_headers run?  Perhaps a better patch would be to move the code that
adds these headers to the respose earlier in the code so that users can
simply use mod_headers to strip whichever ones they want, or a module
for randomizing header order could be written, etc.

Phil

> -----Original Message-----
> From: Graham Leggett [mailto:minfrin@sharp.fm] 
> Sent: Saturday, March 22, 2003 9:55 AM
> To: dev@httpd.apache.org
> Subject: Re: Removing Server: header
> 
> 
> Brass, Phil (ISS Atlanta) wrote:
> 
> > Hi, I recently patched my debian apache server source to add a new 
> > ServerToken value, ServerToken=Hide, which will remove the Server, 
> > Date, and Last-Modified headers (to make server identification a 
> > little more difficult (yes I know this is bad for proxies, 
> if that's a 
> > big deal we can just have it remove the Server: header, that's 
> > probably all most people would expect anyway)).
> 
> I'm curious - what benefit would be had by stripping Date and 
> Last-Modified?
> 
> Does Apache not already have an override for the Server value?
> 
> Regards,
> Graham
> -- 
> -----------------------------------------
> minfrin@sharp.fm		"There's a moon
> 					over Bourbon Street
> 						tonight..."
> 
> 

Mime
View raw message