Eric Covener wrote:
On Mon, Dec 6, 2010 at 1:42 PM, Dave Stevens <geek@xxxxxxxxxxxx> wrote:
> ....
Well, I hadn't, but it seems as if from a security point of view it might not be a bad idea. Is there any history or discussion on that? or perhaps a reference I can read up on?http://httpd.apache.org/docs/current/mod/core.html#servertokens There hasn't been much discussion that the info should be hidden by default.
Well, under the theory that letting a "hacker" know anything about the
platform they may be trying to infiltrate gives them useful information
they could abuse, I usually run my servers with ServerTokens Prod. I
really wish there was a ServerTokens Custom (let me specify the string
I want to return in the ServerSignature) or ServerTokens Stealth (don't
supply any information in the ServerSignature).
Personally, I run my Firefox browsers with the ServerSpy addon -- so I
always can see what the ServerSignature reads coming from the server.
Usually I use that as a clue when the server I'm visiting does
something I consider to be lame -- "Oh, that's the stupid XXXX server
they're running, no wonder they have problems." But somebody with
more malicious intent could interpret and abuse based on what they see.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|