Re: [PATCH] HTTP: stop emitting server version by default
Hi Sergey, > I don't think this is a good idea to change the default behaviour > for the directive we have for a long-long time. But it's arguably a wrong behavior, and keeping it forever wrong because of a decision made ~20 years ago, doesn't seem like a particularly great idea. Also, while I'm usually all for retaining backward-compatibility, I cannot imagine this breaking anything. > It's always possible > to set `server_tokens off;' in the configuration file. Right, but if you require majority of users to change the defaults, then those defaults are not very good. > Also, this change is required a corresponding change in the > documentation on the nginx.org website. I'm happy to submit the corresponding change if the patch is accepted. Best regards, Piotr Sikora ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] HTTP: stop emitting server version by default
Hi Piotr, thank you for the patch. On Wed, Feb 28, 2024 at 01:20:35AM +, Piotr Sikora via nginx-devel wrote: [...] > HTTP: stop emitting server version by default. > This information is only useful to attackers. > The previous behavior can be restored using "server_tokens on". [...] I don't think this is a good idea to change the default behaviour for the directive we have for a long-long time. It's always possible to set `server_tokens off;' in the configuration file. Also, this change is required a corresponding change in the documentation on the nginx.org website. Thank you. -- Sergey A. Osokin ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
[PATCH] HTTP: stop emitting server version by default
# HG changeset patch # User Piotr Sikora # Date 1708977611 0 # Mon Feb 26 20:00:11 2024 + # Branch patch001 # Node ID a8a592b9b62eff7bca03e8b46669f59d2da689ed # Parent 89bff782528a91ad123b63b624f798e6fd9c8e68 HTTP: stop emitting server version by default. This information is only useful to attackers. The previous behavior can be restored using "server_tokens on". Signed-off-by: Piotr Sikora diff -r 89bff782528a -r a8a592b9b62e src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c Wed Feb 14 20:03:00 2024 +0400 +++ b/src/http/ngx_http_core_module.c Mon Feb 26 20:00:11 2024 + @@ -3899,7 +3899,7 @@ ngx_conf_merge_value(conf->etag, prev->etag, 1); ngx_conf_merge_uint_value(conf->server_tokens, prev->server_tokens, - NGX_HTTP_SERVER_TOKENS_ON); + NGX_HTTP_SERVER_TOKENS_OFF); ngx_conf_merge_ptr_value(conf->open_file_cache, prev->open_file_cache, NULL); ___ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
