科技回声

Isn't that inviting bad actors to scour the web for servers with just the right vulnerability? What's to gain by revealing that?

There is no need to reveal this today. Long ago most daemons would advertise what they were and their version in the event clients might need to negotiate around specific behaviors, quirks or bugs.In NGinx one can get rid of this without recompiling by adding the "nginx-mod-http-headers-more" module and adding to nginx.conf:<pre><code> more_set_headers 'Server: IIS/4.0'; # or whatever </code></pre> HAProxy and most load balancer daemons can filter out or replace the Server header. Apache requires a recompile to drop the Server header unless one puts HAProxy in front of it due to the order in how headers are processed. In HAProxy:<pre><code> http-response set-header Server Silly </code></pre> or<pre><code> http-response del-header Server </code></pre> After making changes one can scan their headers in SecurityHeaders [1] to see what has changed, or use curl:<pre><code> curl --head https://some.tld/ </code></pre> As to why they still display this? Showing off in crawler stats who is dominate on the internet.[1] - <a href="https://securityheaders.com/" rel="nofollow">https://securityheaders.com/</a>

Some sites may provide a default noscript/basic (x)html web interface.

Isn't that inviting bad actors to scour the web for servers with just the right vulnerability? What's to gain by revealing that?

Some sites may provide a default noscript/basic (x)html web interface.

Ask HN: Why do web servers still reveal their type and version in headers?

2 条评论

Ask HN: Why do web servers still reveal their type and version in headers?

2 条评论