Hi all
Recently during a client security audit, the "Server: NaviServer/4.99.28"
response header was flagged as an issue. The client has asked us to remove the
header, if possible.
The RFC suggests that the "Server: " header is optional, so I believe this
should be OK to remove. https://www.rfc-editor.org/rfc/rfc7231#section-7.4.2
We would like to propose a new config file boolean parameter "showserverheader"
with default true.
Ns_ConnConstructHeaders in return.c could then check this parameter before
outputting the "Server: " header e.g. something like this:
if (Ns_ConfigBool(path, "showserverheader", NS_TRUE) == NS_TRUE) {
Ns_DStringVarAppend(dsPtr, "Server: ", Ns_InfoServerName(), "/",
Ns_InfoServerVersion(), "\r\n");
}
Thoughts? Alternatives?
thanks
Brian
_______________________________________________
naviserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
