Bug#843014: Apache2: ServerTokens Minimal

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#843014: Apache2: ServerTokens Minimal
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Thu, 3 Nov 2016 07:42:39 +0100
Message-id: <[🔎] a1e81759-34b3-50c7-a033-0cd5cc71af35@gmx.de>
Reply-to: Heinrich Schuchardt <xypron.glpk@gmx.de>, 843014@bugs.debian.org

Package: apache2
Version: 2.4.23-5
Severity: wishlist

Dear maintainer,

/etc/apache2/conf-available/security.conf currently defaults to
ServerTokens OS

This results in a header like:
Server: Apache/2.4.10 (Debian)

Sending the Apache and OS version is a waste of bandwidth.
Unfortunately Apache does not allow to completely suppress this
superfluous header.

Furthermore the current setting exposes valuable information to a
possible intruder:
Why should any HTTP client care which OS my server is using?

Please, change the default to
ServerTokens Minimal

Best regards

Heinrich Schuchardt

Reply to:

Follow-Ups:
- Bug#843014: Apache2: ServerTokens Minimal
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: pubcookie on jessie
Next by Date: Bug#843050: Fails to start when cache directory is missing
Previous by thread: pubcookie on jessie
Next by thread: Bug#843014: Apache2: ServerTokens Minimal
Index(es):
- Date
- Thread