rbowen 2002/06/30 13:09:18
Modified: htdocs/manual/misc FAQ-E.html
Log:
Added FAQ about modifying the Server: response header.
Revision Changes Path
1.20 +52 -1 httpd-docs-1.3/htdocs/manual/misc/FAQ-E.html
Index: FAQ-E.html
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/misc/FAQ-E.html,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- FAQ-E.html 26 Jun 2002 02:24:18 -0000 1.19
+++ FAQ-E.html 30 Jun 2002 20:09:18 -0000 1.20
@@ -144,6 +144,8 @@
<li><a href="#options">Why do my Options directives not have
the desired effect?</a></li>
+ <li><a href="#serverheader">How can I change the information
+ that Apache returns about itself in the headers?</a><li>
</ol>
</li>
@@ -801,6 +803,55 @@
<code><Directory></code> section.</p>
<hr /></li>
+
+
+ <li><a id="serverheader" name="servername"><strong>How can I change
+ the information that Apache returns about itself in the
+ headers?</strong></a>
+
+ <p>When a client connects to Apache, part of the information returned in
+ the headers is the name "Apache" Additional information that can be sent
+ is the version number, such as "1.3.26", the operating system, and a
+ list of non-standard modules you have installed.</p>
+
+ <p>For example:</p>
+
+<blockquote><code>
+Server: Apache/1.3.26 (Unix) mod_perl/1.26
+</code></blockquote>
+
+ <p>Frequently, people want to remove this information, under the mistaken
+ understanding that this will make the system more secure. This is
+ probably not the case, as the same exploits will likely be attempted
+ regardless of the header information you provide.</p>
+
+ <p>There are, however, two answers to this question: the correct answer,
+ and the answer that you are probably looking for.</p>
+
+ <p>The correct answer to this question is that you should use the
+ ServerTokens directive to alter the quantity of information which is
+ passed in the headers. Setting this directive to <code>Prod</code> will
+ pass the least possible amount of information:</p>
+
+<blockquote><code>
+Server: Apache
+</code></blockquote>
+
+ <p>The answer you are probably looking for is how to make Apache lie
+ about what what it is, ie send something like:</p>
+
+<blockquote><code>
+Server: Bob's Happy HTTPd Server
+</code></blockquote>
+
+ <p>In order to do this, you will need to modify the Apache source code
and
+ rebuild Apache. This is not advised, as it is almost certain not to
+ provide you with the added security you think that you are gaining. The
+ exact method of doing this is left as an exercise for the reader, as we
+ are not keen on helping you do something that is intrinsically a bad
+ idea.</p>
+
+ <hr /></li>
</ol>
<!--#endif -->
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
