httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Trawick" <>
Subject Re: vote on concept of ServerTokens Off
Date Thu, 07 Dec 2006 12:52:04 GMT
On 12/6/06, Henrik Nordstrom <> wrote:
> ons 2006-12-06 klockan 09:38 -0500 skrev Jeff Trawick:
> > Why other than ego do we want to make it hard to disable this output?
> Technical reason:
> Not advertising the brand and version makes it very hard for clients
> (user-agents and proxies) to apply workarounds when needed.
> As an example Squid currently has a workaround for how Apache handles
> ETag in responses which has been modified by mod_deflate. In future we
> hope to be able to disable that for versions known to be fixed.
> Not sending the sever name and version will make this harder.

Since this capability of working around issues in certain levels of
Apache requires both the server name and version to be advertised,
that is an argument against something you've been able to do since
Apache 1.3.14 (hide the version).  Colm had another argument in that
category.  So we could list some reasons to avoid using the existing
capability to hide the server version:

* make it easy to audit your web server installations for out of date versions
* allow other software, such as proxy servers, to work around problems
in your level of Apache

View raw message