Date: Wed, 26 Mar 2003 15:30:53 -0500 From: "Brass, Phil (ISS Atlanta)" <[EMAIL PROTECTED]>
> OK, so given that Date and Last-Modified are required response headers > and everybody pretty much hates the idea of removing them, and that > removing the Server header amounts to nothing more than security by > obscurity, is anybody still interested in seeing a patch that offers a > ServerTokens value of None and strictly prevents the addition of the > Server: header to the response? If so I'd be happy to do it. Removing the server header won't hurt. Perhaps you could try to make the ordering od the added headers quasi random. I don't know how much room the RFC lets you to use a quasi random formatting of the headers's values. Your casual wannabe hacker will be confused (or his script). But I don't think that this simple obscuring scheme will block any serious attack. Masi PS: Some HTTP clients fake theri identity. Why not lie on the server side. Add a fake Server header on a random basis. Now we're an IIS, the next moment we're a Zeus :-)
