I'm not too fond of being able to remove it either. It can always be set to "Apache" with the current configuration options and that should keep people worried about exploits somewhat satisfied.
Even if you where able to hide it completely a good script could figure out if it's a 1.3 2.0 or 2.2 based on how it handles retain requests and on the Directory listing for example. As ~Jorge On Tue, Sep 1, 2009 at 11:36 PM, William A. Rowe, Jr.<[email protected]> wrote: > Why attach email doesn't work in thunderbird is beyond me... > > This was Jeff's starting point for documenting ServerTokens Off. > > > -------- Original Message -------- > Subject: Re: vote on concept of ServerTokens Off > Date: Wed, 6 Dec 2006 13:43:49 -0500 > From: Jeff Trawick <[email protected]> > Reply-To: [email protected] > To: [email protected] > References: <[email protected]> > <[email protected]> > <[email protected]> > <[email protected]> > > On 12/6/06, Paul Querna <[email protected]> wrote: > >> This thread is making me sad. > > No tears ;) The somewhat bright side is that pushing on this tender > spot until it hurts should at the very least avoid having the same > discussion here for the next couple of years, and at the most can > avoid a lot of other wasteful discussions permanently ;) The middle > ground of document explicitly why you can't directly turn it off > should also be achievable. > > Proposed documentation for the ServerTokens directive. > > Special note: > > Apache HTTP Server users suggest from time to time that the > ServerTokens directive allow the Server response header to be > eliminated completely. This feature suggestion is rejected for the > following reasons: > > * The Apache HTTP Server project wants surveys of web server usage, > such as the well-known Netcraft survey, to more accurately represent > the actual use of Apache httpd. While some web server administrators > currently modify the Apache HTTP Server source code or install > third-party modules which can remove the Server header, too few > administrators do this to significantly alter the results. The same > may not be true if it is an easily-accessible feature. > > * The Apache HTTP Server project believes that most people who want to > avoid sending the Server header mistakenly think that doing so may > protect their server from attacks based on known flaws in older Apache > HTTPD releases, when in fact the only reasonable way to address these > flaws is to upgrade to new Apache HTTPD releases which correct > security problems affecting your configuration. By restricting the > ability to configure Apache in this manner, we wish to raise awareness > of the need to upgrade when critical vulnerabilities are addressed. > > (what other reasons go here?) > . > >
