hello, This is like arguing if VIM or emacs should be used. (jokes aside) I mean, some companies will accept that as a vulnerability and will make the effort to fix it and comply with security standards like OWASP as you mention @Piotr. But not all time is as great as that. If you search on any bug bounty program they exclude meaningless vulnerabilities like cookies with no secure or http options, or this header that you are mentioning will be no relevant.
But I do agree with you that this simple thing of removing the version or tampering will "*improve*" your security posture or fool the bad guys, but as Ruedinger says, if they want to hack you they will end up hacking you, and possibly not because of a server header but for a human error, you know. Although you can have the header version, that's ok, but normally it's behind something, a WAF, a fancy firewall or whatever. The question here you have to ask yourself is, does the server have any critical data?, does the server may disrupt the normal functionality of the application? (i know this is too much for a simple header but sometimes it might help securing it). But sometimes it can lead you to the fix. And maybe you know about the netcraft server survey vendors:( https://news.netcraft.com/archives/2021/08/25/august-2021-web-server-survey.html ) [image: image.png] similar to the data you posted ;) maybe you would like to have a look at it. In conclusion, *it depends on the security posture your company* would want to have, whether they will remove it or not. ( i will do the same, remove it or tamper it) On the developers and sysadmin perspective will be just another header ;) Hope it helps too, Kind regards, Luis On Tue, 21 Sept 2021 at 15:45, Ruediger Pluem <rpl...@apache.org> wrote: > > > On 9/21/21 2:40 PM, Piotr Sionkowski wrote: > > Hi Guys, > > > > > > > > First of all I would like to thank you for picking up the issue I > brought. > > > > > > > > I conducted a quick experiment and checked how apache.org headers look > like and got: > > > > > > > > $ curl -I apache.org | grep Server > > > > Server: Apache > > > > > > > > I did also a deeper dive and checked a bigger sample of n=86 webpages of > ASF sponsors. > > > > > > > > ===BEGIN OF EXPERIMENT=== > > > > STEP 1: we grab the list of ASF sponsors > > > > > > > > $ curl --url https://www.apache.org/foundation/thanks.html -v | grep > sponsored | cut -f 2 -d\" > sponsors > > > > > > > > result: > > > > https://aws.amazon.com/ > > > > http://facebook.com/ > > > > http://google.com/ > > > > < Removed 80 lines > > > > > https://www.sonic.com/ > > > > http://www.surfnet.nl/ > > > > https://www.virtru.com/ > > > > > > > > STEP 2: we grab Server headers for results from STEP 1. Any missing are > replaced with 'SERVER OBSCURED' > > > > > > > > $ for subject in $(cat sponsors); do echo -n "${subject}: " >> servers; > curl --connect-timeout 3 -I -k $subject 2> /dev/null | > > grep Server >> servers || echo 'SERVER OBSCURED' >> servers; done > > > > > > > > result: > > > > https://aws.amazon.com/: Server: Server > > > > http://facebook.com/: SERVER OBSCURED > > > > http://google.com/: Server: gws > > > > < Removed 80 lines > > > > > https://www.sonic.com/: Server: nginx/1.12.1 > > > > http://www.surfnet.nl/: Server: nginx > > > > https://www.virtru.com/: Server: cloudflare > > > > > > > > STEP 3: We organize the data and print histogram-like summary > > > > > > > > $ cut -f 3 -d' ' servers | sort |uniq -c > histogram > > > > > > > > result: > > > > 2 ATS > > > > 3 AkamaiGHost > > > > 2 AmazonS3 > > > > 7 Apache > > > > 1 Apache/2.4.18 > > > > 1 Apache/2.4.48 > > > > 9 Cisco > > > > 2 GitHub.com > > > > 2 Kestrel > > > > 1 LiteSpeed > > > > 13 OBSCURED > > > > 1 PAAS-WEB > > > > 1 SE-1.15.12 > > > > 2 Server > > > > 1 Tengine > > > > 1 Varnish > > > > 1 awselb/2.0 > > > > 1 bfe/1.0.8.18 > > > > 15 cloudflare > > > > 1 globaledge-envoy > > > > 2 gws > > > > 1 ias/1.4.2.3_1.17.3 > > > > 14 nginx > > > > 1 nginx/1.12.1 > > > > 1 nginx/1.14.0 > > > > ===END OF EXPERIMENT=== > > > > > > > > Observations from data: > > > > Observation 1: 15 out of 86 (17.5%) are not willing to share ANYTHING > about their servers > > > > Observation 2: another 15 are hidden behind cloudflare, summing up to 35% > > > > Observation 3: 8/86 (9%) show any version numbers > > > > Observation 4: out of 9 servers who claim to be Apache 2 (22%) show > varsions > > > > > > > > Conclusions: > > > > Only a tiny percentage of this sample is willing to show any version of > their web server (not confirmed if what they show is what > > they actually run). > > > > > > > > In view of above, would ASF consider changing its reccommendation[1] > from 'Minimal' to 'Product Only'? > > Thanks for the data, but in my opinion it actually tells you not much. > From my experience in a lot of big companies people are > forced to stick to the owasp recommendations whether they make sense in > peoples eyes or not. I for myself got tired with this > topic in professional life. If people demand me to remove that stuff I do, > not because I think it makes sense, but because I do > not want to waste time any longer like in the past to discuss with people > why I think it does not make sense and in the end the > only argument I get is: But owasp recommends it. > Just because people apply them does not tell you that the arguments we > mentioned are wrong and what owasp recommends is right. > > Regards > > Rüdiger > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org > For additional commands, e-mail: docs-h...@httpd.apache.org > >
