On 12/6/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
ons 2006-12-06 klockan 09:38 -0500 skrev Jeff Trawick:
> Why other than ego do we want to make it hard to disable this output?
Technical reason:
Not advertising the brand and version makes it very hard for clients
(user-agents and proxies) to apply workarounds when needed.
As an example Squid currently has a workaround for how Apache handles
ETag in responses which has been modified by mod_deflate. In future we
hope to be able to disable that for versions known to be fixed.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39727
Not sending the sever name and version will make this harder.
Since this capability of working around issues in certain levels of
Apache requires both the server name and version to be advertised,
that is an argument against something you've been able to do since
Apache 1.3.14 (hide the version). Colm had another argument in that
category. So we could list some reasons to avoid using the existing
capability to hide the server version:
* make it easy to audit your web server installations for out of date versions
* allow other software, such as proxy servers, to work around problems
in your level of Apache
