On 11/19/01 9:39 PM, "Thomas Eibner" <[EMAIL PROTECTED]> wrote:
> On Wed, Oct 17, 2001 at 06:35:27AM +0200, Thomas Eibner wrote: >> I don't like the idea of people being able to change the server >> signature to something like "AnythingGoes/1.0", 'cause there is really >> no product called that, if it's Apache, it should say Apache or not >> say anything at all. And the disguising of the OS doesn't really matter >> either since there are other ways of figuring out what OS you're >> running. If people can't figure out how to patch the source to show >> up another name than Apache they really shouldn't be messing with it >> (IMHO). >> >> Is there a really good reason why you want something other than "Apache" >> to show up in the Server header? Security? Keeping up with security >> announcements and upgrading when necessary should be enough I think. >> >> Related to this: what is it going to do to the Netcraft survey when >> every kid on the block starts changing the server header to >> "MyCoolWebserver/2.0"? > > To bring a little kick back in this old thread.. > > I noticed this while casually surfing with lwp-request: > $ lwp-request -m HEAD http://www.mandrake.com/ | grep Server > Server: Apache-AdvancedExtranetServer/1.3.12 (NetRevolution/Linux-Mandrake) > PHP/3.0.17-dev mod_ssl/2.6.4 OpenSSL/0.9.5a > > And it seems like this goes into Mandrake's default apache distribution > too. > > So I thought, oh well, I guess Netcraft knows about this.. But in fact it > doesn't seem to be the case, on sites that use an unmodifed Apache header > they display the string: "Apache users include ..." which isn't the case > when you check www.mandrake.com. > > I might be overreacting, but from: src/include/httpd.h: > > * "Product tokens should be short and to the point -- use of them for > * advertizing or other non-essential information is explicitly forbidden." > > It certainly seems like non-essential information to me, and I'm wondering > why Mandrake actually wants to call it Apache-AdvancedExtranetServer ? > > Looking at http://www.securityspace.com/s_survey/data/200109/servers.html > it actually looks like a good deal of servers with this Server-string > is out there. Around 8200 hosts/vhosts alone in this survey. > > Is this what people want to happen with the Server string or is it not > that big of a deal? Personally I always thought advertising your version # and list of modules Is just an invitation to get hit... The serverstring's only use IMHO is to get your netcraft numbers up.
