Hide or obfuscate X-Mod-Pagespeed header

[GoogleCodeExporter]

Is it possible to hide the X-Mod-Pagespeed header ? or at least which version 
is being used; perhaps say Production or Testing.

Looking at the potential for attack vectors if a security issue was introduced 
on a specific release and rogue users attempted to exploit the vulnerability.

Original issue reported on code.google.com by webmas...@organicspider.co.uk on 12 Jul 2011 at 8:29

[GoogleCodeExporter]

I'm also interested in this future, I don't see the need to let the world know 
I have mod_pagespeed installed, at least not the full version

Original comment by ionut.ne...@gmail.com on 12 Feb 2012 at 1:02

[GoogleCodeExporter]

Perhaps mod_header would be an easy way to achieve what you're after?

But removing the header is only part of the story - rewritten resources are 
fairly distinctive.

Original comment by matterb...@google.com on 14 Feb 2012 at 9:52

[GoogleCodeExporter]

Tried mod_header, it doesn't remove the mod_pagespeed header, rewritten 
resources is not the same as advertising which version you are running

Original comment by ionut.ne...@gmail.com on 16 Feb 2012 at 1:01

[GoogleCodeExporter]

Hi

I used mod_header and it worked OK - in my .conf file

# Remove the header - no reason to publish it
    Header unset X-Mod-Pagespeed

This is after the ModPageSpeed on (and various other lines) in the specific 
conf for the virtual host, so you may have to do it in this order for it to 
work.

Pete

Original comment by petesto...@gmail.com on 22 Feb 2012 at 7:23

[GoogleCodeExporter]

Thanks for the tip! FWIW I'm adding a directive that allows you to set the value
of the X-Mod-Pagespeed header, but not delete it because it is required for 
certain
setups (such as Apache with MPS as an origin server fronted by another Apache 
w/ MPS).
If you need it deleted you can use mod_header as described above.

Original comment by matterb...@google.com on 22 Feb 2012 at 8:17

• Changed state: Started

[GoogleCodeExporter]

I've committed a change to allow you set the string after X-Mod-Pagespeed.
The directive is called ModPagespeedXHeaderValue. The value cannot be blank.

You can either build from source or wait for the next binary release.

Original comment by matterb...@google.com on 24 Feb 2012 at 5:51

• Changed state: Fixed
• Added labels: release-note

[GoogleCodeExporter]

Matt can you add doc for this & then close?  Thanks!

Original comment by jmara...@google.com on 23 May 2012 at 2:37

• Changed state: Started

[GoogleCodeExporter]

Doc added.

Original comment by matterb...@google.com on 23 May 2012 at 3:40

• Changed state: Fixed
• Added labels: Milestone-v22

[GoogleCodeExporter]

Original comment by jmara...@google.com on 25 May 2012 at 2:39