Re: products in Server header field

It is worth noting that it is sometimes not advisable to provide details
in the Server: field. Crackers are known to use this information to
identify vulnerabilities unique to the http server or host OS based
on version information.

On Fri, 2 Mar 2007, Henrik Nordstrom wrote:

> fre 2007-03-02 klockan 00:21 +0100 skrev Nicolas Krebs:
> > I wish to know which data are allowed in Server: header-field (HTTP 1.1).
> > May i put in an HTTP response "Server: Apache Plone Zope Python" ?
> Yes, if you like to. But you should try make sure to use the official
> names for each product, possibly with a /version component.
> > Does "the software used by the origin server to handle the request" include or
> > allow each software involved in the answer ?
> You may add tokens for any software component you consider may be
> significantly relevant for how the request was processed and the answer
> was generated.
> The main reason for publishing software details like this is allow the
> server software to be identified making it easier to diagnose problems.
> Regards
> Henrik

Received on Friday, 2 March 2007 05:02:13 UTC