[EMAIL PROTECTED] wrote: > rbb 2002/06/15 00:01:25 > > Modified: docs/error/include bottom.html > Log: > Comment out the SERVER_STRING variable from our default error documents. > Some people do not like having this information in their error pages, and > it makes sense to not do it by default. If users want this back, they > can uncomment it. > > PR: 9319
Personally, I think this is silly. The server signature on error pages is there for a good reason: helping people debug problems, especially with requests that pass through proxies, etc. My opinion is that we should do one or both of the following: - Comment out the multi-lingual error messages in the default config. I think these are great to have, and I recommend that everyone use them, but they use a bunch of features that aren't used anywhere else in the default install, and therefore open many potential security problems. - Add a ServerSignature CGI environment variable that we can test on in the error pages and deliver the appropriate content. Joshua.
