Code: Select all
# Disable server signature
ServerSignature Off
Code: Select all
# Disable server signature
ServerSignature Off
That's the problem. On many webhosts that I've used it wasn't off by default, so I had to turn it off myself using the code above. Without it the server would display info such as "Apache/2 Server at domain.com Port 80".DavidIQ wrote:The default is off so if this option is on it's on purpose.
Exactly. It is not the job of the forum software to ensure the server is set up correctly.A_Jelly_Doughnut wrote:phpBB certainly should not be providing workarounds for server misconfigurations. Even, IMO, if it affects phpBB's own functionality which this does not.
True, although phpBB provides blank index files in various directories to ensure that the server will not display their files in case that the directory views have not been disabled.DavidIQ wrote:It is not the job of the forum software to ensure the server is set up correctly.
Yep. Please note that to those who use web servers different from apache, those files just clutter directories.True, although phpBB provides blank index files in various directories
Listing files and listing the server version are two very different things. It's probably a bigger issue to list the file contents of a directory that should not be listed. Also the change here only benefits Apache web servers whereas that blank index file you referenced benefits all server types. Besides if someone really wanted this information they would just go to another directory outside of the directory the forum is installed in and get it by other means.Louis7777 wrote:True, although phpBB provides blank index files in various directories to ensure that the server will not display their files in case that the directory views have not been disabled.DavidIQ wrote:It is not the job of the forum software to ensure the server is set up correctly.
In my opinion, if it's just a line in the .htaccess that doesn't have any disadvantages then we should include it. It assists security after all.
Yes, and the .htaccess files are mainly for Apache web servers. Still, we have them.DavidIQ wrote:Also the change here only benefits Apache web servers
Yes because they're needed for url rewriting, not to change server configuration. There is also a web.config file.Louis7777 wrote:Yes, and the .htaccess files are mainly for Apache web servers. Still, we have them.
That it provides a false sense of security since it would only apply to one folder? Doesn't really provide a whole lot of benefit and one could even argue it might be harmful to have the user think that everything is somehow ok with this "one line" in place. In any case if the developers want to add it then that's fine of course. I'm just giving my opinion.Louis7777 wrote:Anyway, it's just one line that benefits security - what's wrong with it?