You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Brass, Phil (ISS Atlanta)" <PB...@iss.net> on 2003/03/21 21:41:57 UTC
Removing Server: header
Hi, I recently patched my debian apache server source to add a new
ServerToken value, ServerToken=Hide, which will remove the Server, Date,
and Last-Modified headers (to make server identification a little more
difficult (yes I know this is bad for proxies, if that's a big deal we
can just have it remove the Server: header, that's probably all most
people would expect anyway)). I had to patch the server instead of
using mod_headers because these headers get added *after* the last
module is called (or so it appears).
I made my changes to debian's apache_1.3.27-0.1_i386 source package.
Anyhow, I'm curious if the httpd project would be interested in a change
like this, and if so what the best way to submit these patches would be?
Sorry to be such a n00b...
TIA,
Phil Brass
Senior Security Consultant
Internet Security Systems
Re: Removing Server: header
Posted by Graham Leggett <mi...@sharp.fm>.
Brass, Phil (ISS Atlanta) wrote:
> Hi, I recently patched my debian apache server source to add a new
> ServerToken value, ServerToken=Hide, which will remove the Server, Date,
> and Last-Modified headers (to make server identification a little more
> difficult (yes I know this is bad for proxies, if that's a big deal we
> can just have it remove the Server: header, that's probably all most
> people would expect anyway)).
I'm curious - what benefit would be had by stripping Date and Last-Modified?
Does Apache not already have an override for the Server value?
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."