On 12/6/06, Paul Querna <[EMAIL PROTECTED]> wrote:
This thread is making me sad.
No tears ;) The somewhat bright side is that pushing on this tender spot until it hurts should at the very least avoid having the same discussion here for the next couple of years, and at the most can avoid a lot of other wasteful discussions permanently ;) The middle ground of document explicitly why you can't directly turn it off should also be achievable. Proposed documentation for the ServerTokens directive. Special note: Apache HTTP Server users suggest from time to time that the ServerTokens directive allow the Server response header to be eliminated completely. This feature suggestion is rejected for the following reasons: * The Apache HTTP Server project wants surveys of web server usage, such as the well-known Netcraft survey, to more accurately represent the actual use of Apache httpd. While some web server administrators currently modify the Apache HTTP Server source code or install third-party modules which can remove the Server header, too few administrators do this to significantly alter the results. The same may not be true if it is an easily-accessible feature. * The Apache HTTP Server project believes that most people who want to avoid sending the Server header mistakenly think that doing so may protect their server from attacks based on known flaws in older Apache HTTPD releases, when in fact the only reasonable way to address these flaws is to upgrade to new Apache HTTPD releases which correct security problems affecting your configuration. By restricting the ability to configure Apache in this manner, we wish to raise awareness of the need to upgrade when critical vulnerabilities are addressed. (what other reasons go here?)
