httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: [PATCH 40026] ServerTokens Off
Date Mon, 21 Aug 2006 08:17:54 GMT

On 08/21/2006 12:34 AM, Lars Eilebrecht wrote:

> For offering such an option with Apache I've only seen two arguments:
> 1. Making the server more secure by not revealing any (or fake) 
>    server information.
> 2. Saving bandwidth.
> Well, when we've had similar discussions in the past they were
> usually about argument No. 1, but the consensus was always that
> a security-by-obscurity feature in Apache does not make sense.

+1, OTH we partially have these security-by-obscurity features as we
can reduce what Apache reports in the Server header, by removing the
version number and the modules loaded.

> Saving bandwidth is a valid point, but as I already pointed out

Does saving 17 bytes per request really change a lot?
For the small one pixel pictures that might be true, but for most requests
I would guess that this saves less then 1% of the request size.
I would guess that cleaning html pages and compressing content gives
you much more savings in this case.

> in my previous email, it is only relevant to a very very tiny fraction
> of Apache users. Those users who run a high-traffic web site usually
> use self-compiled, or customized versions of Apache anyway, and for
> them it's easy to modify the code themselves to get rid of the Server
> header.

Given my arguments above +1 to this.

> Apart from that, it's also possible to customize the Server header by
> using mod_security which has a configuration directive for this.

Not that I want to use it, but I am just curious about which one that could be.
I know that you can hide the presence of mod_security itself from the server
header, but I do not know how to remove the Server header completly with mod_security.



View raw message