httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Dessent <br...@dessent.net>
Subject Re: [users@httpd] Stop Apache from reporting version number anywhere..
Date Mon, 26 Jan 2004 02:28:56 GMT
Taco Fleur wrote:
> 
> > You can do this with the 'ServerTokens' parameter (not
> > 'ServerSignature', BTW, which doesn't affect the 'Server'
> > header and other locations where it's printed.)
> 
> It worked, I set the ServerSignature to off and the software version and
> webserver type did not appear on the 404 pages anymore.

It's still being sent with every single request in the 'Server' header.

> > But, if you think that by doing this you're increasing
> > security you're just wasting your time.
> 
> Why is that do you reckon?

Because hiding your version number doesn't do anything to patch security
holes.  You are 100% as vulnerable to whatever vulnerabilities you may
have regardless of what version number your server advertises.  It's not
going to stop you from being hacked, if that's what you were thinking. 
An analogy would be placing a post-it note on your front door that says
"There is no big-screen TV inside." when any burglar can see plainly in
your front window that in fact there is a large big-screen TV sitting
right there in the living room.

> And what exactly does the ServerTokens do?

The Apache documentation team doesn't write manuals just for the heck of
it you know.  http://httpd.apache.org/docs/mod/core.html#servertokens

Brian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message