httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [PATCH 40026] ServerTokens Off
Date Sun, 20 Aug 2006 22:57:43 GMT
Lars Eilebrecht wrote:
> Apart from that, it's also possible to customize the Server header by
> using mod_security which has a configuration directive for this.

My 2c, let's adopt the patch for three reasons...

 1. it's an FAQ that would -go away-, less stress for our peer apache
    user supporters

 2. it's not required.  Advertising it's not even required, the number of
    installed Apache servers can be derived from the % of servers which do
    advertise Apache v.s. others that allow users to hide this header, and
    using that % for the server token blind installations.  Clients can
    default to the lowest common denominator if they aren't able to determine
    what the server is doing.(*)

 3. it will dissuade folks from adopting thirdparty modules for foolish reasons,
    sparing those projects to deal only with users who actually plan to take
    advantage of their real features ;-)

(*) and fools who -use- the 'feature' can pay the penalty for clients which
choose not to trust that the anonymous server is capable of -correctly- serving
byterange, compression or other features which conserve server load - but aren't
consistently implemented properly by all HTTP/1.1 servers ;-)

View raw message