httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <>
Subject Re: [PATCH 40026] ServerTokens Off
Date Tue, 05 Sep 2006 13:25:45 GMT
On 8/20/06, William A. Rowe, Jr. <> wrote:
> Lars Eilebrecht wrote:
> >
> > Apart from that, it's also possible to customize the Server header by
> > using mod_security which has a configuration directive for this.
> My 2c, let's adopt the patch for three reasons...
>  1. it's an FAQ that would -go away-, less stress for our peer apache
>     user supporters

giant +1

Attempts to illuminate have failed.  The best education will be to see
requests for some odd URL with .EXE in the name in the error log of a
Unix box with ServerTokens None.

>  2. it's not required.

Right, we're getting religious about some protocol data which is not
even required and which we freely admit that people with the skills
should just go hack up the source code to remove.

>  3. it will dissuade folks from adopting thirdparty modules for foolish reasons,
>     sparing those projects to deal only with users who actually plan to take
>     advantage of their real features ;-)

That makes sense to me.  Meanwhile, it hardly makes sense to have
somebody use a third-party module to remove some protocol data that
Apache didn't need to add in the first place.

View raw message