Bug 40026 - Impossibility to unset Server Header
Impossibility to unset Server Header
Status: RESOLVED WONTFIX
Product: Apache httpd-2
Classification: Unclassified
Component: Core
2.2.9
All All
: P4 normal with 13 votes (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2006-07-12 07:43 UTC by Sebastian Nohn
Modified: 2014-02-19 17:30 UTC (History)
5 users (show)



Attachments
Disable Server Header (1.23 KB, patch)
2006-07-22 14:20 UTC, Sebastian Nohn
Details | Diff
Make sending the Server header configurable via httpd.conf (2.14 KB, patch)
2006-07-23 16:06 UTC, Sebastian Nohn
Details | Diff
Make sending the Server header configurable via httpd.conf (Documentation) (2.43 KB, patch)
2006-07-23 16:07 UTC, Sebastian Nohn
Details | Diff
Patch against trunk (438824), respects and contains patch proposed in <cc67648e0608300618t5f133a85jc514a65009cbc359@mail.gmail.com> (20.26 KB, patch)
2006-08-31 07:03 UTC, Sebastian Nohn
Details | Diff
Patch against trunk (438824), respects, completes and contains patch proposed in <cc67648e0608300618t5f133a85jc514a65009cbc359@mail.gmail.com> (20.28 KB, patch)
2006-08-31 07:48 UTC, Sebastian Nohn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Nohn 2006-07-12 07:43:48 UTC
These work:
Header always add X-Test-Header: Success
Header always unset Content-Length

This does not work:
Header always unset Server
Comment 1 Ruediger Pluem 2006-07-12 15:44:52 UTC
This currently works as designed. In the proxy case we have the following situation:

If no Server header is set (either because the backend does not set one or
because you have unset it the Server header is set with the default value).

In the non proxy case the Server header is always set to the predefined value.
It cannot be changed.
So I mark this as invalid. Feel free to reopen if you think that this is either
a documentation bug or an enhancement.

BTW: Unsetting the Content-Length header is not really a smart idea as it breaks
HTTP/1.1 connections.
S
Comment 2 Sebastian Nohn 2006-07-12 15:54:30 UTC
In this case, the design is broken. "Server" is not required by RFC 2616.

The Content-Length header was unset for testing purposes (if unsetting headers
does work).
Comment 3 Joshua Slive 2006-07-22 04:19:23 UTC
It has long been the policy of the httpd developers that Server cannot be
omitted nor lied about using configuration.  I don't think that is unreasonable.
 There are very very few good reasons to omit the Server header, and if you
really need to, you have the source code.  The fact that Server is not required
by the spec certainly doesn't mean that it is required to make it optional.  The
header is configurable via ServerTokens, but it can't be omitted.

If you disagree with this policy, you should take it up on the dev@httpd mailing
list.  This is not a bug or a design flaw.
Comment 4 Sebastian Nohn 2006-07-22 14:20:05 UTC
Created attachment 18626 [details]
Disable Server Header

This disables it at all. Very crude but may help people searching for this
through the bugs database.
Comment 5 Sebastian Nohn 2006-07-23 16:06:56 UTC
Created attachment 18629 [details]
Make sending the Server header configurable via httpd.conf
Comment 6 Sebastian Nohn 2006-07-23 16:07:17 UTC
Created attachment 18630 [details]
Make sending the Server header configurable via httpd.conf (Documentation)
Comment 7 Sebastian Nohn 2006-07-23 16:09:09 UTC
RFC 2616 says "Server implementors are encouraged to make this field a
configurable option".

Find the patch for making this configurable attached.
Comment 8 Joshua Slive 2006-07-23 18:45:26 UTC
Out of context quote. Try the whole paragraph:
"      Note: Revealing the specific software version of the server might
      allow the server machine to become more vulnerable to attacks
      against software that is known to contain security holes. Server
      implementors are encouraged to make this field a configurable
      option."

The display of specific version information is already configurable.
Comment 9 Joshua Slive 2006-07-23 18:47:27 UTC
I didn't notice you reopened this.  Thanks for the patches, which may indeed be
useful for people.  But as I said, there is no bug here.  If you wish to discuss
the policy decision, dev@httpd is the correct place.

(I personally think it is stupid to remove this field, but I wouldn't strongly
object to your patch simply because there are so many silly people who request
it that it continually wastes developer time.)
Comment 10 Sebastian Nohn 2006-07-24 05:50:54 UTC
I don't see where my quote is of out context. Anyway, most people like to
*change* the Server header. This is indeed silly. Removing it starts to make
sense when you have to pay exorbitant high amounts of money for your traffic -
for what reason - and have a high traffic site. In this case saving these 17
Bytes can save you several hundred € a month.
Comment 11 Roy T. Fielding 2006-08-02 06:13:41 UTC
this is an enhancement request, not a bug report.
Comment 12 Sebastian Nohn 2006-08-31 07:03:56 UTC
Created attachment 18774 [details]
Patch against trunk (438824), respects and contains patch proposed in <cc67648e0608300618t5f133a85jc514a65009cbc359@mail.gmail.com>
Comment 13 Sebastian Nohn 2006-08-31 07:48:28 UTC
Created attachment 18775 [details]
Patch against trunk (438824), respects, completes and contains patch proposed in <cc67648e0608300618t5f133a85jc514a65009cbc359@mail.gmail.com>
Comment 14 Serge Bohdjalian 2008-11-14 11:25:24 UTC
Apache documentation (v2.0-v.2.2) states that the "header unset Server" directive should work:

    "The header is modified just after the content handler and output filters are run, allowing outgoing headers to be modified."

This is in contrast to what the documentation *used* to say (v.1.3):

    "The Header directives are processed just before the response is sent by its handler. These means that some headers that are added just before the response is sent cannot be unset or overridden. This includes headers such as 'Date' and 'Server'."

This change in the documentation implies that someone intended the "header unset Server" directive to work. Either the directive should be made to work (preferably) OR the documentation should be changed. Otherwise, this is a bug, not a feature or "enhancement request".

I personally consider this important since, according to the HTTP specification, the "Server" field is unnecessary and, given I'm planning to publish a large number of pages less than 2 KB (compressed), it could represent more than 1% of my outgoing traffic.
Comment 15 Takashi Sato 2008-11-14 16:59:46 UTC
"Except in early mode, the Header directives are processed just before the response is sent to the network. These means that it is possible to set and/or override most headers, except for those headers added by the header filter."

The document says not "all headers" but "most headers".
I'm not sure what "the header filter" exactly means.
I feel the document is somehow unkind.
Comment 16 Takashi Sato 2008-11-14 17:04:30 UTC
"somehow" -> "a little"
Comment 17 Eric Covener 2011-09-17 16:04:29 UTC
The project decided not to do this twice -- see "vote on concept of ServerTokens Off"
Comment 18 Spencer Drager 2014-02-19 03:07:13 UTC
Out of principal, server administrators should have 100% control over what comes out of their server as long as it conforms to the spec. What if "App: Notepad" or "App: Nano" was prepended to every text document touched by these applications? It would be absurd. Please reconsider this "feature".
Comment 19 Jeff Trawick 2014-02-19 17:30:36 UTC
Please do not reopen the bug.  WONTFIX is the proper status until the development community decides otherwise on the dev@httpd mailing list.  Feel free to provide your input there.  (Personally, I've lost count of the different ways I have patched different versions of httpd to remove the server header.  :(  )