On 08/21/2006 12:34 AM, Lars Eilebrecht wrote:
> > For offering such an option with Apache I've only seen two arguments: > > 1. Making the server more secure by not revealing any (or fake) > server information. > > 2. Saving bandwidth. > > > Well, when we've had similar discussions in the past they were > usually about argument No. 1, but the consensus was always that > a security-by-obscurity feature in Apache does not make sense. +1, OTH we partially have these security-by-obscurity features as we can reduce what Apache reports in the Server header, by removing the version number and the modules loaded. > > Saving bandwidth is a valid point, but as I already pointed out Does saving 17 bytes per request really change a lot? For the small one pixel pictures that might be true, but for most requests I would guess that this saves less then 1% of the request size. I would guess that cleaning html pages and compressing content gives you much more savings in this case. > in my previous email, it is only relevant to a very very tiny fraction > of Apache users. Those users who run a high-traffic web site usually > use self-compiled, or customized versions of Apache anyway, and for > them it's easy to modify the code themselves to get rid of the Server > header. Given my arguments above +1 to this. > > Apart from that, it's also possible to customize the Server header by > using mod_security which has a configuration directive for this. Not that I want to use it, but I am just curious about which one that could be. I know that you can hide the presence of mod_security itself from the server header, but I do not know how to remove the Server header completly with mod_security. Regards Rüdiger
