Quoting Hector A. Paterno: > I have found a discrepancy between mod_auth and ServerTokens Prod. > > Using, openbsd CURRENT , apache 1.3.26, as the example: > > I add the following line to the httpd.conf file : > > ServerTokens Prod > > So, when I try to get the version/modules of apache with the HEAD > method, I obtain as a reply only the type of the server : > > HEAD / HTTP/1.0\r\n\r\n > > [info] > Server: Apache > [info] > > But , when I enable mod_auth and try to access the protected directory > with an invalid username / password, I obtain the following errror : > > 401 Authorization Required > [bleh bleh info] > Apache/1.3.26 Server at xxxxx Port 80 > > Giving me the version of the apache server. > > I'm not an apache guru, but from from my point of view this seems to be a > flaw(?) in the mod_auth module. Hector, to disable apache server signature (it's on by default) you should add this to your httpd.conf and restart apache: ServerSignature Off The ServerTokens directive applies to HTTP Server response header only. Take a look at apache manual for more details: http://httpd.apache.org/docs/mod/core.html#serversignature http://httpd.apache.org/docs/mod/core.html#servertokens Best regards. -- Alex Muntada <alexm at ac.upc.es> http://people.ac.upc.es/alexm/