httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Eilebrecht <l...@apache.org>
Subject Re: [PATCH 40026] ServerTokens Off
Date Sun, 20 Aug 2006 22:34:55 GMT
According to Sebastian Nohn:

> I personally think, "ego" is a bad reason for constricting people.

This has nothing to do with "ego". In my opinion it is more than
appropriate to put a "label" in the form of the Server header
onto the Apache HTTP Server.

For example, if I buy a car I can usually order it without the
exact type information/logos added to the car, but I just cannot
order it without any logo of the manufacturer itself.

For offering such an option with Apache I've only seen two arguments:

1. Making the server more secure by not revealing any (or fake) 
   server information.

2. Saving bandwidth.


Well, when we've had similar discussions in the past they were
usually about argument No. 1, but the consensus was always that
a security-by-obscurity feature in Apache does not make sense.

Saving bandwidth is a valid point, but as I already pointed out
in my previous email, it is only relevant to a very very tiny fraction
of Apache users. Those users who run a high-traffic web site usually
use self-compiled, or customized versions of Apache anyway, and for
them it's easy to modify the code themselves to get rid of the Server
header.

Apart from that, it's also possible to customize the Server header by
using mod_security which has a configuration directive for this.


ciao...
-- 
Lars Eilebrecht
lars@apache.org


Mime
View raw message