On Wed, Dec 06, 2006 at 01:43:49PM -0500, Jeff Trawick wrote: > * The Apache HTTP Server project believes that most people who want to > avoid sending the Server header mistakenly think that doing so may > protect their server from attacks based on known flaws in older Apache > HTTPD releases, when in fact the only reasonable way to address these > flaws is to upgrade to new Apache HTTPD releases which correct > security problems affecting your configuration. By restricting the > ability to configure Apache in this manner, we wish to raise awareness > of the need to upgrade when critical vulnerabilities are addressed. > > (what other reasons go here?)
I think the more important thing about the "security" reason, is that it actually *degrades* security, because it impedes the ability to audit. Finding out-of-date installations is an nmap one-liner if you leave the Server header alone. If you disable it, you have to start logging in to the boxes (and getting that access and so on) and check things locally. I'd make that point. Personally I think we should include the functionality, I'm always in favour of allowing people to shoot themselves in the foot. Sometimes it's the only way they learn ;-) -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]
