On Tuesday, July 22, 2003, at 09:24 AM, Remy Maucherat wrote:
Jan Luehe wrote:The spec declares these headers as optional, which means Tomcat should make them configurable. Some sites may prefer not to include this information in their responses, for security reasons or >> whatever.This is a pretty bad implementation IMO. What's the use of disabling this feature ?
IIS 6 has similar headers, and I believe do not have any option to hide them. This has no bandwidth savings or anything. It is not worth adding flags everywhere for that.
If you really want to add a flag, add it on the connector, and set the header in the CoyoteAdapter. As for the JSP flag, it should be a Jasper option if you really want to have it optional, not based on a bad test (why does the presence of a X-Powered header indicate anything ?).
BTW, I don't see why the spec saying that the header is optional implies that the flag must be implemented as something optional. It merely means that an implementation may ignore completely this > feature.
I maintain my -1 (sorry for disliking your patches these days): adding configurability, down to flag addition in the core interfaces, to such a trivial feature is ridiculous (or we should have 300 flags in the Context interface, which we obviously don't want). Please revert your patch.
Remy, I don't agree with that at all. For security reasons you always want the option to reveal as little as possible about your system. By default httpd creates headers like:
Server: Apache/1.3.26 (Unix) mod_jk/1.1.0 DAV/1.0.3 mod_ssl/2.8.9 OpenSSL/0.9.6b
Which for a paranoid sysadmin is far too much info to give away. Thankfully you can get rid of them in the httpd configurations (if you want another example look at bind and what that gives away by default). This is exactly the same thing, if the header is to be set in the response (I'm not commenting on the implementation details or wether it should be there), then there must be an option to turn it off.
Martin
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
