httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.Lance Wilkinson" <jl...@psulias.psu.edu>
Subject Re: [users@httpd] HTTP header fields
Date Mon, 06 Dec 2010 18:56:17 GMT
Eric Covener wrote:
> On Mon, Dec 6, 2010 at 1:42 PM, Dave Stevens <geek@uniserve.com> wrote:
 > ....
>> Well, I hadn't, but it seems as if from a security point of view it might not
>> be a bad idea. Is there any history or discussion on that? or perhaps a
>> reference I can read up on?
> 
> http://httpd.apache.org/docs/current/mod/core.html#servertokens
> 
> There hasn't been much discussion that the info should be hidden by default.
> 

	Well, under the theory that letting a "hacker" know anything about the
	platform they may be trying to infiltrate gives them useful information
	they could abuse, I usually run my servers with ServerTokens Prod.   I
	really wish there was a ServerTokens Custom (let me specify the string
	I want to return in the ServerSignature) or ServerTokens Stealth (don't
	supply any information in the ServerSignature).

	Personally, I run my Firefox browsers with the ServerSpy addon -- so I
	always can see what the ServerSignature reads coming from the server.
	Usually I use that as a clue when the server I'm visiting does
	something I consider to be lame -- "Oh, that's the stupid XXXX server
	they're running, no wonder they have problems."   But somebody with
	more malicious intent could interpret and abuse based on what they see.

-- 
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message