httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <traw...@gmail.com>
Subject Re: vote on concept of ServerTokens Off
Date Wed, 06 Dec 2006 18:43:49 GMT
On 12/6/06, Paul Querna <chip@force-elite.com> wrote:

> This thread is making me sad.

No tears ;)  The somewhat bright side is that pushing on this tender
spot until it hurts should at the very least avoid having the same
discussion here for the next couple of years, and at the most can
avoid a lot of other wasteful discussions permanently ;)  The middle
ground of document explicitly why you can't directly turn it off
should also be achievable.

Proposed documentation for the ServerTokens directive.

Special note:

Apache HTTP Server users suggest from time to time that the
ServerTokens directive allow the Server response header to be
eliminated completely.  This feature suggestion is rejected for the
following reasons:

* The Apache HTTP Server project wants surveys of web server usage,
such as the well-known Netcraft survey, to more accurately represent
the actual use of Apache httpd.  While some web server administrators
currently modify the Apache HTTP Server source code or install
third-party modules which can remove the Server header, too few
administrators do this to significantly alter the results.  The same
may not be true if it is an easily-accessible feature.

* The Apache HTTP Server project believes that most people who want to
avoid sending the Server header mistakenly think that doing so may
protect their server from attacks based on known flaws in older Apache
HTTPD releases, when in fact the only reasonable way to address these
flaws is to upgrade to new Apache HTTPD releases which correct
security problems affecting your configuration.  By restricting the
ability to configure Apache in this manner, we wish to raise awareness
of the need to upgrade when critical vulnerabilities are addressed.

(what other reasons go here?)

Mime
View raw message