httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Ristic" <>
Subject Re: [PATCH 40026] ServerTokens Off
Date Mon, 21 Aug 2006 08:32:24 GMT
On 8/21/06, Ruediger Pluem <> wrote:
> Not that I want to use it, but I am just curious about which one that could be.
> I know that you can hide the presence of mod_security itself from the server
> header

ModSecurity does not advertise itself in the Server header, at least
not any more. (It only did that in the very early days, before I
realised it was a mistake.)

> but I do not know how to remove the Server header completly with mod_security.

It is not possible to remove the Server header completely. ModSecurity
can only change it to something else. But I guess one could write an
output filter to remove it. In fact, I seem to recall someone
mentioning such output filter recently. Now if I could only remember

BTW, for all it's worth, I think Apache should support Server header
removal/customisation natively. People that want to change/remove the
Server header will do that anyway. Apache supporting the feature
directly would mean that they will be able to do the job quickly and
get on with their lives.

Ivan Ristic, Technical Director
Thinking Stone,
ModSecurity: Open source Web Application Firewall

View raw message