tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Algesten <mar...@taglab.com>
Subject Re: cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet JspServlet.java
Date Tue, 22 Jul 2003 10:32:31 GMT

On Tuesday, July 22, 2003, at 09:24 AM, Remy Maucherat wrote:

> Jan Luehe wrote:
>>> This is a pretty bad implementation IMO.
>>> What's the use of disabling this feature ?
>> The spec declares these headers as optional, which means Tomcat 
>> should make them configurable. Some sites may prefer not to include 
>> this information in their responses, for security reasons or >> whatever.
>
> IIS 6 has similar headers, and I believe do not have any option to 
> hide them. This has no bandwidth savings or anything. It is not worth 
> adding flags everywhere for that.
> If you really want to add a flag, add it on the connector, and set the 
> header in the CoyoteAdapter. As for the JSP flag, it should be a 
> Jasper option if you really want to have it optional, not based on a 
> bad test (why does the presence of a X-Powered header indicate 
> anything ?).
> BTW, I don't see why the spec saying that the header is optional 
> implies that the flag must be implemented as something optional. It 
> merely means that an implementation may ignore completely this > feature.
> I maintain my -1 (sorry for disliking your patches these days): adding 
> configurability, down to flag addition in the core interfaces, to such 
> a trivial feature is ridiculous (or we should have 300 flags in the 
> Context interface, which we obviously don't want). Please revert your 
> patch.
>

Remy, I don't agree with that at all. For security reasons you always 
want the option to reveal as little as possible about your system. By 
default httpd creates headers like:

Server: Apache/1.3.26 (Unix) mod_jk/1.1.0 DAV/1.0.3 mod_ssl/2.8.9 
OpenSSL/0.9.6b

Which for a paranoid sysadmin is far too much info to give away. 
Thankfully you can get rid of them in the httpd configurations (if you 
want another example look at bind and what that gives away by default). 
This is exactly the same thing, if the header is to be set in the 
response (I'm not commenting on the implementation details or wether it 
should be there), then there must be an option to turn it off.

Martin


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message