> > minfrin 02/03/22 10:34:46 > > > > Modified: . CHANGES > > modules/http http_protocol.c > > Log: > > When a proxied site was being served, Apache was replacing > > the original site Server header with it's own, which is not > > allowed by RFC2616. Fixed. > > This may be my imagination, but won't this allow any module (or even cgi > script) to set the Server header and override the default one. Do we want > this? (I'm undecided, but it is a significant change from previous > behavior.)
Agree, it should be an option at least. There are certain instances where you may want to prevent the original server header from being exposed, to avoid information leaking. For example if you are load balancing IIS servers or specific application server versions. Daniel
