Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 19456 invoked from network); 21 Aug 2006 08:18:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 21 Aug 2006 08:18:24 -0000 Received: (qmail 22306 invoked by uid 500); 21 Aug 2006 08:18:20 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 22262 invoked by uid 500); 21 Aug 2006 08:18:19 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 22251 invoked by uid 99); 21 Aug 2006 08:18:19 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Aug 2006 01:18:19 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 21 Aug 2006 01:18:19 -0700 Received: (qmail 19410 invoked by uid 2161); 21 Aug 2006 08:17:58 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id 3A1431721C for ; Mon, 21 Aug 2006 10:17:48 +0200 (CEST) Message-ID: <44E96C32.5080207@apache.org> Date: Mon, 21 Aug 2006 10:17:54 +0200 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060417 X-Accept-Language: de, en, de-de, en-gb, cy, zu, xh MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: [PATCH 40026] ServerTokens Off References: <44D03F79.2030303@nohn.net> <44DCA97F.80100@nohn.net> <20060811165000.GA3095@eilebrecht.net> <44E89412.1020206@nohn.net> <20060821003455.0bee3ff4@doubleshadow.eilebrecht.net> In-Reply-To: <20060821003455.0bee3ff4@doubleshadow.eilebrecht.net> X-Enigmail-Version: 0.90.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On 08/21/2006 12:34 AM, Lars Eilebrecht wrote: > > For offering such an option with Apache I've only seen two arguments: > > 1. Making the server more secure by not revealing any (or fake) > server information. > > 2. Saving bandwidth. > > > Well, when we've had similar discussions in the past they were > usually about argument No. 1, but the consensus was always that > a security-by-obscurity feature in Apache does not make sense. +1, OTH we partially have these security-by-obscurity features as we can reduce what Apache reports in the Server header, by removing the version number and the modules loaded. > > Saving bandwidth is a valid point, but as I already pointed out Does saving 17 bytes per request really change a lot? For the small one pixel pictures that might be true, but for most requests I would guess that this saves less then 1% of the request size. I would guess that cleaning html pages and compressing content gives you much more savings in this case. > in my previous email, it is only relevant to a very very tiny fraction > of Apache users. Those users who run a high-traffic web site usually > use self-compiled, or customized versions of Apache anyway, and for > them it's easy to modify the code themselves to get rid of the Server > header. Given my arguments above +1 to this. > > Apart from that, it's also possible to customize the Server header by > using mod_security which has a configuration directive for this. Not that I want to use it, but I am just curious about which one that could be. I know that you can hide the presence of mod_security itself from the server header, but I do not know how to remove the Server header completly with mod_security. Regards RĂ¼diger