Security concern in the HTTP headers Server document #33543
Labels
Content:HTTP
HTTP docs
needs triage
Triage needed by staff and/or partners. Automatically applied when an issue is opened.
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server#directives
What specific section or headline is this issue about?
Directives
What information was incorrect, unhelpful, or incomplete?
The HTTP headers Server documentation includes potentially misleading security advice.
It mentions that having "Server" information in the HTTP header can expose the server to exploitation by attackers.
However, the directive section suggests that revealing Apache versions helps browsers work around bugs.
Instead, developers should patch bugs without exposing vulnerable information to potential attackers.
Thus, revealing server information contradicts the security warnings in the document.
Below is the statement from the document:
"How much detail to include is an interesting balance to strike; exposing the OS version is probably a bad idea, as mentioned in the earlier warning about overly-detailed values. However, exposed Apache versions helped browsers to work around a bug of the versions with Content-Encoding and Range in combination."
What did you expect to see?
Update the document so that contradicting statements will be removed.
Do you have any supporting links, references, or citations?
RFC-2616 states that server information should be confidential.
https://datatracker.ietf.org/doc/html/rfc2616#section-15.1.1
Do you have anything more you want to share?
No response
The text was updated successfully, but these errors were encountered: