I'm a bit disappointed that web2py by default sets `X-Powered-By: web2py` in the http header, thus making it easier for web-scanning tools to detect the software running behind a web site, and allow more targetted attacks. Is there an easy config option to efficiently turn this off for all pages / json responses etc served by web2py? Also, are there other ways to obscure the fact that it is web2py / python running on a web server, and reduce information disclosure? For example, can anyone detect what python version I'm running by using web queries: I see that rocket server puts the python version in the `Server:` header, which seems bad to me, although my production machine simply returns `Server: nginx` which is a little better, I suppose. I suspect it will never be possible to obscure the software entirely, but anything that makes it harder for the script kiddies seems like an easy win to me.
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/09c4e377-2c90-4b9b-abdf-ea6b4967d18b%40googlegroups.com.
