> From: Aaron Bannert [mailto:[EMAIL PROTECTED]] > > On Sat, Jun 15, 2002 at 11:02:18AM -0400, Joshua Slive wrote: > > [EMAIL PROTECTED] wrote: > > >rbb 2002/06/15 00:01:25 > > > > > > Modified: docs/error/include bottom.html > > > Log: > > > Comment out the SERVER_STRING variable from our default error > documents. > > > Some people do not like having this information in their error pages, > and > > > it makes sense to not do it by default. If users want this back, > they > > > can uncomment it. > > > > > > PR: 9319 > > > > Personally, I think this is silly. The server signature on error pages > > is there for a good reason: helping people debug problems, especially > > with requests that pass through proxies, etc. > > I agree, and the same logic above applies in reverse: > > If an admin doesn't want to reveal the server string in the > error document, they can remove that part themselves.
With one major difference. We provide server configuration directives to stop this stuff from being displayed. Whether they are correct or not, many admins do believe that they are improving security by not exposing this information. The problem is that you can change the config and not affect the default error pages that we ship. If you want to get the information, then it is easy to add back. However, I would simply suggest that the default error documents should not be included in the default config. Include the files, comment the config, and this issue goes away. As things stand right now, most admins have no clue that we have replaced the default Apache error documents which is why putting information that they _may_ want to keep private in them is completely wrong. Ryan
