httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Ristic <iv...@webkreator.com>
Subject Re: Proposal: Allow ServerTokens to specify Server header completely
Date Tue, 13 Jan 2004 14:25:36 GMT

>>   I like the idea. Right now you either have to
>>   change the source code or use mod_security to achieve
>>   this, but I think the feature belongs to the server core.
>>
>>   But I think a new server directive is a better solution.
> 
> As Lars said (and I agree), it has nothing to do with security. Why do you
> provide such a "feature" then?

   Because I believe that changing the signature prevents some
   automated tools from attacking the server.

   I recently changed the signature of the Apache running on
   modsecurity.org (to pretend to be IIS5). As a result, I've started
   getting more IIS-related attacks than before. So, the signature
   does matter.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]


Mime
View raw message