是否需要通过Rails应用程序设置ServerSignature和ServerTokens apache配置选项? [英] Necessary to set ServerSignature and ServerTokens apache config options with Rails apps?

问题描述

我在其中一本关于Rails的书中碰巧说应该设置

I came across something in one of my rails books that said I should set

ServerSignature Off
ServerTokens Prod 

在应用程序启动时禁止apache在生产中显示服务器信息.这有必要吗?我在产品中看到的唯一错误消息是标准的Rails生产错误消息.我从没看到任何服务器信息.

to disable apache from showing server information in production when the app screws up. Is this necessary? The only error message I see in prod is the standard Rails production error message. I never see any server information.

我还需要设置其他与安全相关的apache配置变量吗?

Are there any other security related apache config variables I need to set?

推荐答案

这不是必需的，但建议这样做.通过显示服务器签名和完整的服务器令牌，您为潜在的黑客提供了一种更简单的方法来识别如何对您的系统进行黑客攻击.例如，在启用ServerSignature并使用完整的ServerToken的情况下，黑客将确切知道您正在运行的操作系统(包括版本)和服务器技术.

It is not necessary, but it is recommended. By showing the server signature and the full server tokens you are giving potential hackers an easier way to identify how to hack your system. For example, with ServerSignature on and a full ServerToken, a hacker will know exactly what OS (including version) and server technology you are running.

示例.将ServerToken设置为已满，您可能会得到:

Example. With ServerToken set to full you might get:

带有Suhosin-Patch Server的Apache/2.2.8(Ubuntu)PHP/5.2.4-2ubuntu5

将它设置为prod只会得到

With it set to prod you will only get

Apache

有关slicehost的文章给出了很好地概述了如何处理serverSignature和serverTokens

This article on slicehost gives a good overview of how to approach serverSignature and serverTokens

这篇关于是否需要通过Rails应用程序设置ServerSignature和ServerTokens apache配置选项?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！