----- Original Message ----- From: "Graham Leggett" > Martin Kutschker wrote: > > > Removing the server header won't hurt. > > Removing the server header is a protocol viloation, and serves no purpose.
How is it a protocol violation? I can't find anywhere in the HTTP 1.1 protocol where it says the server header is required.... In fact, it says it's "encouraged" that this field be configurable for security reasons (but doesn't specify if that means only configure the value or possibly configure whether the header exists or not). See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38 I'll agree that configuring it to not say apache doesn't serve very much useful purpose (since it's only security by obscurity) but neither does our current policy of allowing hiding the apache version number (since that's security by obscurity too). It's one and the same, whether you hide the product name or version number... makes no difference. The only difference I can see is it will make it nearly impossible for people to accurately track the numbers of Apache servers out there in the world, so I guess we keep it for vanity purposes? Sorry if everyone's talked to death about this issue already and sick and tired of it, I don't remember it happening since I joined several months to a year ago. Dave
