-
Notifications
You must be signed in to change notification settings - Fork 22.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security concern in the HTTP headers Server document #33543
Comments
The issue as reported is not consistent with its citations. The MDN page includes this warning (emphasis added):
It goes on to say (emphasis added):
It suggests that including some information (such as an Apache version) might be a good idea. Therefore, there is no contradiction. RFC 2616 does not say that server information should be confidential. The linked section 15.1.1 is about logged information about users, which has nothing to do with this issue. Section 14.38, which is about the
|
Despite my comment above, this issue does raise an important point. Including the
On the other hand, omitting the Here are some more general comments:
|
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server#directives
What specific section or headline is this issue about?
Directives
What information was incorrect, unhelpful, or incomplete?
The HTTP headers Server documentation includes potentially misleading security advice.
It mentions that having "Server" information in the HTTP header can expose the server to exploitation by attackers.
However, the directive section suggests that revealing Apache versions helps browsers work around bugs.
Instead, developers should patch bugs without exposing vulnerable information to potential attackers.
Thus, revealing server information contradicts the security warnings in the document.
Below is the statement from the document:
"How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers to work around a bug of the versions with Content-Encoding and Range in combination."
What did you expect to see?
Update the document so that contradicting statements will be removed.
Do you have any supporting links, references, or citations?
RFC-2616 states that server information should be confidential.
https://datatracker.ietf.org/doc/html/rfc2616#section-15.1.1
Do you have anything more you want to share?
No response
The text was updated successfully, but these errors were encountered: