On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote: > I don't like the idea of people being able to change the server > signature to something like "AnythingGoes/1.0", 'cause there is really > no product called that, if it's Apache, it should say Apache or not > say anything at all. And the disguising of the OS doesn't really matter > either since there are other ways of figuring out what OS you're > running. If people can't figure out how to patch the source to show > up another name than Apache they really shouldn't be messing with it > (IMHO). > > Is there a really good reason why you want something other than "Apache" > to show up in the Server header? Security? Keeping up with security > announcements and upgrading when necessary should be enough I think. > > Related to this: what is it going to do to the Netcraft survey when > every kid on the block starts changing the server header to > "MyCoolWebserver/2.0"?
To bring a little kick back in this old thread.. I noticed this while casually surfing with lwp-request: $ lwp-request -m HEAD http://www.mandrake.com/ | grep Server Server: Apache-AdvancedExtranetServer/1.3.12 (NetRevolution/Linux-Mandrake) PHP/3.0.17-dev mod_ssl/2.6.4 OpenSSL/0.9.5a And it seems like this goes into Mandrake's default apache distribution too. So I thought, oh well, I guess Netcraft knows about this.. But in fact it doesn't seem to be the case, on sites that use an unmodifed Apache header they display the string: "Apache users include ..." which isn't the case when you check www.mandrake.com. I might be overreacting, but from: src/include/httpd.h: * "Product tokens should be short and to the point -- use of them for * advertizing or other non-essential information is explicitly forbidden." It certainly seems like non-essential information to me, and I'm wondering why Mandrake actually wants to call it Apache-AdvancedExtranetServer ? Looking at http://www.securityspace.com/s_survey/data/200109/servers.html it actually looks like a good deal of servers with this Server-string is out there. Around 8200 hosts/vhosts alone in this survey. Is this what people want to happen with the Server string or is it not that big of a deal? -- Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/> mod_pointer <http://stderr.net/mod_pointer>
