httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Schrauwen <>
Subject Re: [Fwd: Re: vote on concept of ServerTokens Off]
Date Wed, 02 Sep 2009 07:29:56 GMT
I'm not too fond of being able to remove it either.

It can always be set to "Apache" with the current configuration
options and that should keep people worried about exploits somewhat

Even if you where able to hide it completely a good script could
figure out if it's a 1.3 2.0 or 2.2 based on how it handles retain
requests and on the Directory listing for example.



On Tue, Sep 1, 2009 at 11:36 PM, William A. Rowe,
Jr.<> wrote:
> Why attach email doesn't work in thunderbird is beyond me...
> This was Jeff's starting point for documenting ServerTokens Off.
> -------- Original Message --------
> Subject: Re: vote on concept of ServerTokens Off
> Date: Wed, 6 Dec 2006 13:43:49 -0500
> From: Jeff Trawick <>
> Reply-To:
> To:
> References: <>
> <>
> <>
> <>
> On 12/6/06, Paul Querna <> wrote:
>> This thread is making me sad.
> No tears ;)  The somewhat bright side is that pushing on this tender
> spot until it hurts should at the very least avoid having the same
> discussion here for the next couple of years, and at the most can
> avoid a lot of other wasteful discussions permanently ;)  The middle
> ground of document explicitly why you can't directly turn it off
> should also be achievable.
> Proposed documentation for the ServerTokens directive.
> Special note:
> Apache HTTP Server users suggest from time to time that the
> ServerTokens directive allow the Server response header to be
> eliminated completely.  This feature suggestion is rejected for the
> following reasons:
> * The Apache HTTP Server project wants surveys of web server usage,
> such as the well-known Netcraft survey, to more accurately represent
> the actual use of Apache httpd.  While some web server administrators
> currently modify the Apache HTTP Server source code or install
> third-party modules which can remove the Server header, too few
> administrators do this to significantly alter the results.  The same
> may not be true if it is an easily-accessible feature.
> * The Apache HTTP Server project believes that most people who want to
> avoid sending the Server header mistakenly think that doing so may
> protect their server from attacks based on known flaws in older Apache
> HTTPD releases, when in fact the only reasonable way to address these
> flaws is to upgrade to new Apache HTTPD releases which correct
> security problems affecting your configuration.  By restricting the
> ability to configure Apache in this manner, we wish to raise awareness
> of the need to upgrade when critical vulnerabilities are addressed.
> (what other reasons go here?)
> .

View raw message