[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#843014: Apache2: ServerTokens Minimal

tags 843014 wontfix

On Thursday, 3 November 2016 07:42:39 CET Heinrich Schuchardt wrote:
> This results in a header like:
> Server: Apache/2.4.10 (Debian)
> Sending the Apache and OS version is a waste of bandwidth.
> Unfortunately Apache does not allow to completely suppress this
> superfluous header.
> Furthermore the current setting exposes valuable information to a
> possible intruder:
> Why should any HTTP client care which OS my server is using?

There are services that create statistics of the whole internet based on the 
Server header. Including Debian there gives an idea how much servers run 
Debian compared to other OSs, and which release of Debian. Therefore I prefer 
not to change the default. I don't think the bandwith waste is relevant in 
most setups. On systems where it is, the admin can change the  setting, of 

While it is true that knowing the OS may give a potential advantage to an 
attacker, it is usually also possible to infer this information from other 
properties of the default configuration. If your security depends on the OS 
being secret, you have bigger problems.


Reply to: