You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dave Stevens <ge...@uniserve.com> on 2010/12/06 19:42:27 UTC
[users@httpd] HTTP header fields
Recently I had a note from a user of the apache site on my server that said in
part, "the title bar in my browser shows the software package, O/S and version
you run on your server.
Have you thought about changing that?"
Well, I hadn't, but it seems as if from a security point of view it might not
be a bad idea. Is there any history or discussion on that? or perhaps a
reference I can read up on?
Dave
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP header fields
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 12/6/2010 12:50 PM, Eric Covener wrote:
>
> There hasn't been much discussion that the info should be hidden by default.
Please consult the archives, that is discussion of a decision that will not die.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP header fields
Posted by Eric Covener <co...@gmail.com>.
On Mon, Dec 6, 2010 at 1:56 PM, J.Lance Wilkinson <jl...@psulias.psu.edu> wrote:
> Eric Covener wrote:
>>
>> On Mon, Dec 6, 2010 at 1:42 PM, Dave Stevens <ge...@uniserve.com> wrote:
>
>> ....
>>>
>>> Well, I hadn't, but it seems as if from a security point of view it might
>>> not
>>> be a bad idea. Is there any history or discussion on that? or perhaps a
>>> reference I can read up on?
>>
>> http://httpd.apache.org/docs/current/mod/core.html#servertokens
>>
>> There hasn't been much discussion that the info should be hidden by
>> default.
>>
>
> Well, under the theory that letting a "hacker" know anything about the
> platform they may be trying to infiltrate gives them useful information
Sorry, I meant discussion beyond this obvious implication of the default value.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP header fields
Posted by Jeffrey E Burgoyne <bu...@keenuh.com>.
> But somebody with
> more malicious intent could interpret and abuse based on what they see.
>
Perhaps, but my web server logs shows a very large number of hits
attacking vulnerabilities across multiple OS and web server types which
have no bearing on the server I am running. The fact is they do not care
what you are running, they will just hit you with every attack they can
find for every web server known and hope for a hit.
I'm sure a hacker wanting in will not look at a server signature and say
"Oh, apache on Linux, guess I won't even bother trying this IIS on Windows
hack".
--
Jeffrey Burgoyne
Chief Technology Officer
KCSI Keenuh Consulting Services Inc
www.keenuh.com
burgoyne@keenuh.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP header fields
Posted by "J.Lance Wilkinson" <jl...@psulias.psu.edu>.
Eric Covener wrote:
> On Mon, Dec 6, 2010 at 1:42 PM, Dave Stevens <ge...@uniserve.com> wrote:
> ....
>> Well, I hadn't, but it seems as if from a security point of view it might not
>> be a bad idea. Is there any history or discussion on that? or perhaps a
>> reference I can read up on?
>
> http://httpd.apache.org/docs/current/mod/core.html#servertokens
>
> There hasn't been much discussion that the info should be hidden by default.
>
Well, under the theory that letting a "hacker" know anything about the
platform they may be trying to infiltrate gives them useful information
they could abuse, I usually run my servers with ServerTokens Prod. I
really wish there was a ServerTokens Custom (let me specify the string
I want to return in the ServerSignature) or ServerTokens Stealth (don't
supply any information in the ServerSignature).
Personally, I run my Firefox browsers with the ServerSpy addon -- so I
always can see what the ServerSignature reads coming from the server.
Usually I use that as a clue when the server I'm visiting does
something I consider to be lame -- "Oh, that's the stupid XXXX server
they're running, no wonder they have problems." But somebody with
more malicious intent could interpret and abuse based on what they see.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP header fields
Posted by Eric Covener <co...@gmail.com>.
On Mon, Dec 6, 2010 at 1:42 PM, Dave Stevens <ge...@uniserve.com> wrote:
> Recently I had a note from a user of the apache site on my server that said in
> part, "the title bar in my browser shows the software package, O/S and version
> you run on your server.
>
> Have you thought about changing that?"
>
> Well, I hadn't, but it seems as if from a security point of view it might not
> be a bad idea. Is there any history or discussion on that? or perhaps a
> reference I can read up on?
http://httpd.apache.org/docs/current/mod/core.html#servertokens
There hasn't been much discussion that the info should be hidden by default.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org