httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Removing Server: header
Date Sat, 22 Mar 2003 15:53:45 GMT
Brass, Phil (ISS Atlanta) wrote:

> The point of stripping Date and Last-modified headers is that HTTP
> fingerprinting tools look at things like header order, the formatting of
> dates and times, etc.

The Date and Last-Modified headers exist as an integral part of 
HTTP/1.1, and removing and/or fiddling with them isn't a good idea 
protocol wise.

> The ServerTokens directive currently can at best be set to Prod, which
> will cause it to return "Apache".
> 
> Anyhow, how about a patch that just allows ServerTokens to be set to
> "None" and gets rid of just the Server header?

Because this is simply security through obscurity. A server with an 
exploit is still exploitable regardless of whether it returns a server 
header or not. Rather ensure your software is patched up to date at all 
times.

I believe that playing with or removing these headers is a waste of time.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight..."


Mime
View raw message