Disable ServerSignature

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
samwisesk8r
Registered User
Posts: 11
Joined: Sat Aug 23, 2014 7:24 pm

Disable ServerSignature

Post by samwisesk8r »

Hi all. What do you think about disabling Server Signature using the root .htaccess? Like this:

Code: Select all

# Disable server signature
ServerSignature Off
Can you add this?

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Disable ServerSignature

Post by DavidIQ »

Why would we do this? The default is off so if this option is on it's on purpose.
Image

samwisesk8r
Registered User
Posts: 11
Joined: Sat Aug 23, 2014 7:24 pm

Re: Disable ServerSignature

Post by samwisesk8r »

DavidIQ wrote:The default is off so if this option is on it's on purpose.
That's the problem. On many webhosts that I've used it wasn't off by default, so I had to turn it off myself using the code above. Without it the server would display info such as "Apache/2 Server at domain.com Port 80".

It doesn't hurt to have it, does it?

User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Disable ServerSignature

Post by A_Jelly_Doughnut »

phpBB certainly should not be providing workarounds for server misconfigurations. Even, IMO, if it affects phpBB's own functionality which this does not.
A_Jelly_Doughnut

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Disable ServerSignature

Post by DavidIQ »

A_Jelly_Doughnut wrote:phpBB certainly should not be providing workarounds for server misconfigurations. Even, IMO, if it affects phpBB's own functionality which this does not.
Exactly. It is not the job of the forum software to ensure the server is set up correctly.
Image

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

DavidIQ wrote:It is not the job of the forum software to ensure the server is set up correctly.
True, although phpBB provides blank index files in various directories to ensure that the server will not display their files in case that the directory views have not been disabled.

In my opinion, if it's just a line in the .htaccess that doesn't have any disadvantages then we should include it. It assists security after all.

User avatar
BioLogIn
Registered User
Posts: 28
Joined: Mon Dec 10, 2012 6:55 pm

Re: Disable ServerSignature

Post by BioLogIn »

True, although phpBB provides blank index files in various directories
Yep. Please note that to those who use web servers different from apache, those files just clutter directories.

Possibly an option on installation would be nice? Auto-detected even?

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Disable ServerSignature

Post by DavidIQ »

Louis7777 wrote:
DavidIQ wrote:It is not the job of the forum software to ensure the server is set up correctly.
True, although phpBB provides blank index files in various directories to ensure that the server will not display their files in case that the directory views have not been disabled.

In my opinion, if it's just a line in the .htaccess that doesn't have any disadvantages then we should include it. It assists security after all.
Listing files and listing the server version are two very different things. It's probably a bigger issue to list the file contents of a directory that should not be listed. Also the change here only benefits Apache web servers whereas that blank index file you referenced benefits all server types. Besides if someone really wanted this information they would just go to another directory outside of the directory the forum is installed in and get it by other means.
Image

User avatar
Louis7777
Registered User
Posts: 394
Joined: Fri Apr 04, 2014 12:32 am

Re: Disable ServerSignature

Post by Louis7777 »

DavidIQ wrote:Also the change here only benefits Apache web servers
Yes, and the .htaccess files are mainly for Apache web servers. Still, we have them.

Anyway, it's just one line that benefits security - what's wrong with it?

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 1904
Joined: Thu Mar 02, 2006 4:29 pm
Location: Earth
Contact:

Re: Disable ServerSignature

Post by DavidIQ »

Louis7777 wrote:Yes, and the .htaccess files are mainly for Apache web servers. Still, we have them.
Yes because they're needed for url rewriting, not to change server configuration. There is also a web.config file.
Louis7777 wrote:Anyway, it's just one line that benefits security - what's wrong with it?
That it provides a false sense of security since it would only apply to one folder? Doesn't really provide a whole lot of benefit and one could even argue it might be harmful to have the user think that everything is somehow ok with this "one line" in place. In any case if the developers want to add it then that's fine of course. I'm just giving my opinion. ;)
Image

Post Reply