[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: svn commit: r1389575 - /httpd/httpd/trunk/CHANGES
From:       Jim Jagielski <jim () jaguNET ! com>
Date:       2012-09-26 11:11:47
Message-ID: A45F0E89-23AA-4272-BB9F-76DDF1096269 () jaguNET ! com
[Download RAW message or body]


On Sep 25, 2012, at 6:22 PM, Daniel Ruggeri <DRuggeri@primary.net> wrote:

> 
> On the flip side, giving this information out in http headers could be
> dangerous. Taking httpd out of the equation, this has pretty wide
> implications.

This is true, and that's why I'm not suggesting that httpd,
or any backend at all, default to producing these headers.

In a "typical" reverse proxy situation, I assume that the
admin of the proxy also admins (at least to some extent) the
backends, and so he/she would only enable these headers on
backends they know are being proxied. Also, the front-end
on accepting the headers from the backend would /dev/null
them, so that this info would never "leak" to the external
world.

At least, that's the scenario I'm working towards...

[prev in list] [next in list] [prev in thread] [next in thread]