httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Proposal: Allow ServerTokens to specify Server header completely
Date Tue, 13 Jan 2004 14:23:02 GMT
Colm MacCarthaigh wrote:
> On Tue, Jan 13, 2004 at 03:04:30PM +0100, Lars Eilebrecht wrote:
> > - It's only security by obscurity and providing such a
> >   "security feature" may be misleading for our users.
> > - We don't want people to obfuscate the server name, do we?
> It's a terrible terrible terrible idea, and makes auditing your
> own network much much harder, but it's really a decision for
> administrators to make - if they want to shoot themselves in the
> foot, let them :)
> Most admins never compile apache :)

It's from various admins, using open source and commercial
versions of Apache that I've rec'd the "request" from. One
request from an admin was to make it *easier* to audit his
network, by allowing each machine to have a slightly different
"real" name. Compiling several dozens of versions of Apache to
do this is nasty. :)

And yes, the FAQ specifically addresses this, but we already
don't really honor it all that much (what other rationale is
there for ServerTokens other than obfuscation? :) ).
   Jim Jagielski   [|]   [|]
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson

View raw message