[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#843014: Apache2: ServerTokens Minimal

Package: apache2
Version: 2.4.23-5
Severity: wishlist

Dear maintainer,

/etc/apache2/conf-available/security.conf currently defaults to
ServerTokens OS

This results in a header like:
Server: Apache/2.4.10 (Debian)

Sending the Apache and OS version is a waste of bandwidth.
Unfortunately Apache does not allow to completely suppress this
superfluous header.

Furthermore the current setting exposes valuable information to a
possible intruder:
Why should any HTTP client care which OS my server is using?

Please, change the default to
ServerTokens Minimal

Best regards

Heinrich Schuchardt

Reply to: