> On Aug 18, 2021, at 12:21 AM, Piotr Sionkowski > <piotr.g.sionkow...@gsk.com.INVALID> wrote: > > Hello httpd docs @ Apache Software Foundation, > > I am writing this e-mail to learn more about ASF attitude towards presenting > or hiding httpd server version details in headers. > > I have read the FAQ and documentation and agree with some statements and > disagree with most. That is why I would like to have it clarified. > > Both in FAQ[1] and in documentation[2] it is discouraged to obscure the > details of httpd server. The rationale provided is that (all are quotations > from [1] and [2]): > > Arg1: It does nothing at all to make your server more secure > Arg2: The idea of "security through obscurity" is a myth and leads to a false > sense of safety > Arg3: mistaken understanding that this will make the system more secure > Arg4: the same exploits will likely be attempted regardless of the header > information > Arg5: it makes it more difficult to debug interoperational problems > > I have checked the reccomendation from OWASP[3] and they advise to remove or > alter the headers so that no unnecessary details are presented. > > I tend to subscribe to owasp's point on view and would like to elaborate on > it so that we can argue more precisely and reach meaningful conclusions.
Hi Piotr, The Server header field is used by clients (especially user agents) to adjust their behavior with respect to known errors in servers. While OWASP is welcome to choose an opinion that is "more secure" based on a theoretical concern, I can assure you (as the HTTP editor) that their opinion is simply wrong with regards to the usability of the Web as a long-lived system in the real world. It simply doesn't matter to an attacker. The version does matter to admins and customers, who can use automated tools to ensure their websites are running the right version (or at least not the wrong version) and trigger testing whenever that version changes. That tends to result in systems that are actually more secure, rather than trying to obscure that they aren't being maintained properly. .....Roy
