W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: products in Server header field

From: David Morris <dwm@xpasc.com>
Date: Thu, 1 Mar 2007 21:02:03 -0800 (PST)
cc: Nicolas Krebs <nicolas1.krebs3@netcourrier.com>, <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0703012059400.14675-100000@egate.xpasc.com>


It is worth noting that it is sometimes not advisable to provide details
in the Server: field. Crackers are known to use this information to
identify vulnerabilities unique to the http server or host OS based
on version information.

On Fri, 2 Mar 2007, Henrik Nordstrom wrote:

> fre 2007-03-02 klockan 00:21 +0100 skrev Nicolas Krebs:
> > I wish to know which data are allowed in Server: header-field (HTTP 1.1).
> > May i put in an HTTP response "Server: Apache Plone Zope Python" ?
>
> Yes, if you like to. But you should try make sure to use the official
> names for each product, possibly with a /version component.
>
> > Does "the software used by the origin server to handle the request" include or
> > allow each software involved in the answer ?
>
> You may add tokens for any software component you consider may be
> significantly relevant for how the request was processed and the answer
> was generated.
>
> The main reason for publishing software details like this is allow the
> server software to be identified making it easier to diagnose problems.
>
> Regards
> Henrik
>
Received on Friday, 2 March 2007 05:02:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT