tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet
Date Tue, 22 Jul 2003 10:42:56 GMT
Martin Algesten wrote:
> Remy, I don't agree with that at all. For security reasons you always 
> want the option to reveal as little as possible about your system. By 
> default httpd creates headers like:
> Server: Apache/1.3.26 (Unix) mod_jk/1.1.0 DAV/1.0.3 mod_ssl/2.8.9 
> OpenSSL/0.9.6b
> Which for a paranoid sysadmin is far too much info to give away. 
> Thankfully you can get rid of them in the httpd configurations (if you 
> want another example look at bind and what that gives away by default). 
> This is exactly the same thing, if the header is to be set in the 
> response (I'm not commenting on the implementation details or wether it 
> should be there), then there must be an option to turn it off.

You're using in your argument the most extreme example ;-)
Here, it's only revealing the technology used. This is very little, and 
not any more revealing than a ".jsp" extension.

Anyway, I was ok with having that optional. However, I think the 
implementation provided is bad.
As such, I confirm my -1 for the patch.

Instead, I believe it should be implemented in the following way:
- flag on the connector, with the Servlet header being set in the 
- flag in the Jasper options (looking at the presence of another header, 
and assuming it's the Servlet header is just ugly: how about other 
implementations which embed Jasper ?); setting the flag only in 
JspServlet can, however, be considered good enough (however, we should 
IMO add the header addition in the generated source for consistent 
results, since my original proposal of using HttpJspBase is not much 
better than JspServlet)


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message