Open lkc0626 opened 1 month ago
The issue as reported is not consistent with its citations.
The MDN page includes this warning (emphasis added):
Avoid overly-detailed
Server
values ....
It goes on to say (emphasis added):
... exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values.
It suggests that including some information (such as an Apache version) might be a good idea. Therefore, there is no contradiction.
RFC 2616 does not say that server information should be confidential. The linked section 15.1.1 is about logged information about users, which has nothing to do with this issue. Section 14.38, which is about the Server
header, says (emphasis added):
Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.
Despite my comment above, this issue does raise an important point. Including the Server
directive to help clients work around server bugs is definitely a bad idea:
On the other hand, omitting the Server
directive as a security measure may also be a bad idea (even if it is consistent with the RFC), as it may lead to a false sense of security.
Here are some more general comments:
Server
page references the User-Agent
page for the format, but we could also reference that page for security advice (or lack of). Why are we so worried about servers telling clients what software they use, but not at all worried about clients telling servers what software they use?
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server#directives
What specific section or headline is this issue about?
Directives
What information was incorrect, unhelpful, or incomplete?
The HTTP headers Server documentation includes potentially misleading security advice. It mentions that having "Server" information in the HTTP header can expose the server to exploitation by attackers. However, the directive section suggests that revealing Apache versions helps browsers work around bugs. Instead, developers should patch bugs without exposing vulnerable information to potential attackers. Thus, revealing server information contradicts the security warnings in the document.
Below is the statement from the document: "How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers to work around a bug of the versions with Content-Encoding and Range in combination."
What did you expect to see?
Update the document so that contradicting statements will be removed.
Do you have any supporting links, references, or citations?
RFC-2616 states that server information should be confidential. https://datatracker.ietf.org/doc/html/rfc2616#section-15.1.1
Do you have anything more you want to share?
No response