From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020606 Description of problem: Many default values in redhat's apache's httpd.conf use ill advised values, for instance, the defult value for Options should be None, then you just set an extra option here and there as you really need. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: * FollowSymLinks you immediately have ln -s /sentive/file fileOnTheWeb * Indexes potential directory disclosures * MultiViews potential bugs due to more complex code * ServerSignature On Shows too much info * ServerTokens OS Shows too much info Additional info: Some recommendations: * FollowSymLinks you immediately have ln -s /sentive/file fileOnTheWeb Change to: SymLinksIfOwnerMatch if you really have to use symlinks * Indexes potential directory disclosures Should not be used at all unless you expect it to do it. * MultiViews potential bugs due to more complex code * ServerSignature On Shows too much info, should be just Off * ServerTokens OS Shows too much info, should be just Prod so it would result in Server: Apache (no version, no OS, no anything... just Apache)
Thanks for the suggestions. In general, our default httpd.conf stays close to upstream except where we have particular reason to differ. So, if you can make your case upstream, you have a better chance of getting these changed. - "FollowSymlinks off" hurts performance since it adds many more stat calls per request - MultiViews has not been enabled in the docroot ever AFAICT. - Indexes, ServerTokens, ServerSignature: these are all acceptable trade-offs between usability and security.