Sebastian Nohn
Weblog
Bloody Sunday
The leader of god's own country himself sings the great U2 song.
Posted Sep 20, 2006
Tagged as: Fun, Music, USA
Google Conference on Test Automation
The conference is heading it's end, and it was the best conference, I've ever been too. The talks were awesome, and I met a lot of interesting people.
Summaries of the talks are already available as well as Photos.
Videos of the talks are available on Google Video, Slides are available at Google UK.
Posted Sep 08, 2006
Tagged as: Conference, GTAC, Software Quality
Removing the Apache "Server" Header
Altough RFC 2616 does not require sending the Server header in HTTP responses,
even says Server implementors are encouraged to make this field a configurable option
, the Apache HTTP Server does not allow yo
u to disable sending the this header via it's configuration. The only thing allowed is suppressing stuff like software version, additonal modules etc., so that you can strip
it down to "Apache". Even mod_headers with it's Unset directive does not allow unsetting the header. Apache claims this a feature - a very annoying one in my eyes.
For security, this is enough. If people like to find out, which server and modules you are running, they can anyway. However, some people like to change the name to something completely different to feel more secure or to be cool. This can be done easily by patching include/ap_release.h.
While the ap_release.h-thing is noting new and most people are happy with that, I'd like to go a bit further: Get rid of the Server header at all. Why? Removing it adds no security, but it saves 17 bytes - Server: Apache\r\n - not much compared to an average response size of 5000 bytes (0.34%) as long as you don't serve billions of pages a month through an inherently expensive Content Delivery Network.
Most people don't serve billions of pages and most people don't serve through CDNs, but their response to my request was so snotty, that I'd like to share my dirty patch (against Apache 2.0.58) with you. To apply do:
user@host:~/httpd-2.0.58# patch modules/http/http_protocol.c < noserver.patchbefore compiling it.
And read this before you go to bed.
Update:
This patch (see this documentation) introduces the new option Off to the ServerTokens directive. Altough it's a dirty hack - I do neither know the Apache source nor do I know C a lot, maybe Apache makes it part of their server, they have the patch.
Update: Compatibility List
- httpd 2.0.58
- httpd 2.0.59
Update: Patch against Trunk
Now, a patch against trunk is available, that respects and contains a patch by Jeff Trawick to split up ap_get_server_version() into two functions to have the full server string available where appropriate while having the server string configured by ServerTokens available in all other places (like the response header, my patch is about).
Update: Patch against Trunk to implement ap_get_server_description()
Finally this patch is fully functional and implements and uses ap_get_server_description() and ap_get_server_banner().
Posted Jul 22, 2006
Tagged as: Apache, Rant, Software Quality
WTF 2.0
Being a Web 2.0 system, the CMS used JavaScript that dynamically loaded JavaScript that dynamically loaded XML that was dynamically transformed into proprietary commands that were parsed to dynamically execute JavaScript to dynamically load content.
Posted Jul 18, 2006
Tagged as:
Weird Windows Notepad bug
Look at this weird notepad bug:
- Start Notepad
- Type in "this app can break"
- Save the file
- Close Notepad
- Start Notepad
- Open the file in Notepad
Behind 'How to break Windows Notepad'
Posted Jun 15, 2006
Tagged as: Software Quality