httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Proposal: Allow ServerTokens to specify Server header completely
Date Tue, 13 Jan 2004 14:52:25 GMT
Lars Eilebrecht wrote:
> According to Jim Jagielski:
> > I didn't propose this to create (yet another) heated discussion,
> too late ;)
> > simply to suggest that we take ServerTokens to its logical
> > conclusion based on some requests I've seen. :)
> Sorry, but I don't see this as the logical conclusion of
> the ServerTokens directive.
> Being able to manage what third-party modules put in the
> server header is one thing, but changing the header to
> an arbitrary think does not seem logical to me, nor is
> it a security feature.

ServerTokens allows more than just the removal of
the module descriptions. For what other "reason"
does the ability to go from

   Apache/2.0.49-dev (Unix)

provide rather than ways to "obscure" "relative"
information about this specific build of Apache?
Certainly Admins do this because "I don't want people
to know what specific version of Apache I'm using".

I'm not really as Pro this "enhancement" as it may
seem :)

   Jim Jagielski   [|]   [|]
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson

View raw message