Feature #3280
closed[PATCH] add option to not send Date header
Description
Added server.send-date-header option (default enable). If disabled the server stops adding Date: header to responses. I tested it and it works.
Files
Updated by gstrauss 2 months ago
- Status changed from New to Invalid
- Priority changed from Normal to Low
- Target version deleted (
1.4.78)
https://www.rfc-editor.org/rfc/rfc9110.html#name-date
An origin server with a clock (as defined in Section 5.6.7) MUST generate a Date header field [...]
You are welcome to use your custom patch yourself, but this will not be accepted into lighttpd.
Your post does not explain your intended value/purpose of this feature, nor does it demonstrate with data how your patch addresses the (as yet unknown) issue your patch purports to solve.
Your patch is also incomplete, as it neglects to configure HTTP/2 date response headers.
Updated by gstrauss 2 months ago
... Catching up to lighttpd IRC channel: You posted to the lighttpd IRC channel but then failed to post any justification here, even after having been advised to do so in IRC.
lighttpd HTTP Date response header is GMT (gmtime_r()) and the HTTP Date header has 1-second precision.
If your system clock is synchronized with other clocks on the planet (e.g. via NTP), there is no information leak since the shared time is already well-known.
The HTTP Date header is not high-precision time and as such is not very useful in high-precision timing attacks.
You seem to have a misunderstanding of what constitutes "identifiable information about my server" (quoting what you posted on IRC).
Please do not post patches without explaining the reasoning behind the patches. Also, discussions in the lighttpd forums are recommended for "great ideas" before spending time coding them.
Also available in: Atom