Server Token: None

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Server Token: None

Alex Hautequest
Can we have an empty SERVER header instead of the minimalistic but yet “revealing“ issued by the token when set as Prod? Most people are change this header either by patching themselves (and maintaining their patches), or by installing extra modules/plugins, but it would be very, very handy if this was an option from the main source itself.

I did a quick and dirty patch for the latest release code, and as someone who doesn’t code anything past a hello world for quite a few years, it was simple enough I’m surprised how nobody cared to do it. Or perhaps this had been discussed before and the general consensus was to leave the bare minimum to Prod: if so, people that want to keep low would find their ways anyway, but giving us choice is not unusual from the spirit of FOSS.

Alex


httpd-server-header-none.diff.gz (762 bytes) Download Attachment
smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Server Token: None

Rich Bowen


On 11/28/18 4:38 PM, Alex Hautequest wrote:
> Can we have an empty SERVER header instead of the minimalistic but yet “revealing“ issued by the token when set as Prod? Most people are change this header either by patching themselves (and maintaining their patches), or by installing extra modules/plugins, but it would be very, very handy if this was an option from the main source itself.
>
> I did a quick and dirty patch for the latest release code, and as someone who doesn’t code anything past a hello world for quite a few years, it was simple enough I’m surprised how nobody cared to do it. Or perhaps this had been discussed before and the general consensus was to leave the bare minimum to Prod: if so, people that want to keep low would find their ways anyway, but giving us choice is not unusual from the spirit of FOSS.

This is addressed in the documentation itself. It has come up, numerous
times over the years, and the consensus has always been that having a
Server header is a Good Thing. It complies with the spec. Furthermore,
dropping the Server header gives people the mistaken idea that they are
being somehow more secure, when it does nothing of the sort.