On 11/28/18 4:38 PM, Alex Hautequest wrote:
> Can we have an empty SERVER header instead of the minimalistic but yet
> “revealing“ issued by the token when set as Prod? Most people are change this
> header either by patching themselves (and maintaining their patches), or by
> installing extra modules/plugins, but it would be very, very handy if this
> was an option from the main source itself.
> I did a quick and dirty patch for the latest release code, and as someone who
> doesn’t code anything past a hello world for quite a few years, it was simple
> enough I’m surprised how nobody cared to do it. Or perhaps this had been
> discussed before and the general consensus was to leave the bare minimum to
> Prod: if so, people that want to keep low would find their ways anyway, but
> giving us choice is not unusual from the spirit of FOSS.
This is addressed in the documentation itself. It has come up, numerous
times over the years, and the consensus has always been that having a
Server header is a Good Thing. It complies with the spec. Furthermore,
dropping the Server header gives people the mistaken idea that they are
being somehow more secure, when it does nothing of the sort.