httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.Lance Wilkinson" <>
Subject Re: [users@httpd] HTTP header fields
Date Mon, 06 Dec 2010 18:56:17 GMT
Eric Covener wrote:
> On Mon, Dec 6, 2010 at 1:42 PM, Dave Stevens <> wrote:
 > ....
>> Well, I hadn't, but it seems as if from a security point of view it might not
>> be a bad idea. Is there any history or discussion on that? or perhaps a
>> reference I can read up on?
> There hasn't been much discussion that the info should be hidden by default.

	Well, under the theory that letting a "hacker" know anything about the
	platform they may be trying to infiltrate gives them useful information
	they could abuse, I usually run my servers with ServerTokens Prod.   I
	really wish there was a ServerTokens Custom (let me specify the string
	I want to return in the ServerSignature) or ServerTokens Stealth (don't
	supply any information in the ServerSignature).

	Personally, I run my Firefox browsers with the ServerSpy addon -- so I
	always can see what the ServerSignature reads coming from the server.
	Usually I use that as a clue when the server I'm visiting does
	something I consider to be lame -- "Oh, that's the stupid XXXX server
	they're running, no wonder they have problems."   But somebody with
	more malicious intent could interpret and abuse based on what they see.

J.Lance Wilkinson ("Lance")		InterNet:
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message