On 1/24/07, Simon Ashford <Simon.Ashford@xxxxxxxxx> wrote:
Hmmm... Doesn't seem to work. Still get "Server: Apache" in the HTTP headers regardless of SecServerSignature. Get the impression from various reading that the Server header is added by Apache pretty much at the very end of processing, after anything done by other modules. Probably something the developers ought to adddress. It would be nice, for example, to be able to put "ServerTokens None" or some such in the basic configuration file without needing any other modules loaded...
Go search the dev list. You'll see that this question has been addressed in depth, probably a dozen different times. The answer is: You don't gain any security by omitting or lying in the Sever header, so it is your "security audit" that is faulty, not apache. (Many of us would still like to see the "ServerTokens None" option, but only to get rid of silly discussions like these. It doesn't actually do any good and can potentially do harm.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|