The point of stripping Date and Last-modified headers is that HTTP fingerprinting tools look at things like header order, the formatting of dates and times, etc.
The ServerTokens directive currently can at best be set to Prod, which will cause it to return "Apache". Anyhow, how about a patch that just allows ServerTokens to be set to "None" and gets rid of just the Server header? Alternately, does anybody know why the Server, Date, Accept-Ranges, Last-Modified, and other headers are put in last, after things like mod_headers run? Perhaps a better patch would be to move the code that adds these headers to the respose earlier in the code so that users can simply use mod_headers to strip whichever ones they want, or a module for randomizing header order could be written, etc. Phil > -----Original Message----- > From: Graham Leggett [mailto:[EMAIL PROTECTED] > Sent: Saturday, March 22, 2003 9:55 AM > To: [EMAIL PROTECTED] > Subject: Re: Removing Server: header > > > Brass, Phil (ISS Atlanta) wrote: > > > Hi, I recently patched my debian apache server source to add a new > > ServerToken value, ServerToken=Hide, which will remove the Server, > > Date, and Last-Modified headers (to make server identification a > > little more difficult (yes I know this is bad for proxies, > if that's a > > big deal we can just have it remove the Server: header, that's > > probably all most people would expect anyway)). > > I'm curious - what benefit would be had by stripping Date and > Last-Modified? > > Does Apache not already have an override for the Server value? > > Regards, > Graham > -- > ----------------------------------------- > [EMAIL PROTECTED] "There's a moon > over Bourbon Street > tonight..." > >
