Thread: [mod-security-users] server response ordering
Brought to you by:
victorhora,
zimmerletw
From: Tom A. <tan...@oa...> - 2005-01-31 07:18:20
|
Is there any way to change the order of fields output by Apache using mod_security? Eg, IIS and Netscape output the server field, then the date field, but Apache does the date first. To help prevent fingerprinting, I'd like to reorder the fields. Tom |
From: Ivan R. <iv...@we...> - 2005-01-31 16:50:56
|
Tom Anderson wrote: > Is there any way to change the order of fields output by Apache using > mod_security? Eg, IIS and Netscape output the server field, then the > date field, but Apache does the date first. To help prevent > fingerprinting, I'd like to reorder the fields. No, because that's not something you can do with Apache (without changing the source code). Apache hard-codes two of the headers, Date and Server and there's nothing one can do about it. Therefore the only way to hide Apache is to put a reverse proxy in front of it and instruct the reverse proxy to shuffle the headers. But even if you did that you would still have to handle some other signs you are running Apache - the contents of the ETag header, for example. Header shuffling is potentially useful when Apache is used as a reverse proxy. In this mode of operation Apache will use the headers received from the remote server and not send its own. The only drawback of this solution is that it is trivial to discover the identity of the Apache reverse proxy. Just send it a bad request. -- Ivan Ristic (http://www.modsecurity.org) |