httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: [users@httpd] Removing or overwriting "Server" header field.
Date Wed, 24 Jan 2007 19:47:57 GMT
On 1/24/07, Simon Ashford <> wrote:
> Hmmm...
> Doesn't seem to work.  Still get "Server: Apache" in the
> HTTP headers regardless of SecServerSignature.
> Get the impression from various reading that the Server
> header is added by Apache pretty much at the very end of
> processing, after anything done by other modules.
> Probably something the developers ought to adddress. It would
> be nice, for example, to be able to put "ServerTokens None"
> or some such in the basic configuration file without needing
> any other modules loaded...

Go search the dev list.  You'll see that this question has been
addressed in depth, probably a dozen different times.  The answer is:
You don't gain any security by omitting or lying in the Sever header,
so it is your "security audit" that is faulty, not apache.

(Many of us would still like to see the "ServerTokens None" option,
but only to get rid of silly discussions like these.  It doesn't
actually do any good and can potentially do harm.)


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message