On 8/21/06, Ruediger Pluem <[EMAIL PROTECTED]> wrote:
Not that I want to use it, but I am just curious about which one that could be. I know that you can hide the presence of mod_security itself from the server header
ModSecurity does not advertise itself in the Server header, at least not any more. (It only did that in the very early days, before I realised it was a mistake.)
but I do not know how to remove the Server header completly with mod_security.
It is not possible to remove the Server header completely. ModSecurity can only change it to something else. But I guess one could write an output filter to remove it. In fact, I seem to recall someone mentioning such output filter recently. Now if I could only remember where... BTW, for all it's worth, I think Apache should support Server header removal/customisation natively. People that want to change/remove the Server header will do that anyway. Apache supporting the feature directly would mean that they will be able to do the job quickly and get on with their lives. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall
