New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide or obfuscate X-Mod-Pagespeed header #321

Closed
GoogleCodeExporter opened this Issue Apr 6, 2015 · 9 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter

GoogleCodeExporter commented Apr 6, 2015

Is it possible to hide the X-Mod-Pagespeed header ? or at least which version 
is being used; perhaps say Production or Testing.

Looking at the potential for attack vectors if a security issue was introduced 
on a specific release and rogue users attempted to exploit the vulnerability.

Original issue reported on code.google.com by webmas...@organicspider.co.uk on 12 Jul 2011 at 8:29

@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

I'm also interested in this future, I don't see the need to let the world know 
I have mod_pagespeed installed, at least not the full version

Original comment by ionut.ne...@gmail.com on 12 Feb 2012 at 1:02

@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Perhaps mod_header would be an easy way to achieve what you're after?

But removing the header is only part of the story - rewritten resources are 
fairly distinctive.

Original comment by matterb...@google.com on 14 Feb 2012 at 9:52

@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Tried mod_header, it doesn't remove the mod_pagespeed header, rewritten 
resources is not the same as advertising which version you are running

Original comment by ionut.ne...@gmail.com on 16 Feb 2012 at 1:01

@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Hi

I used mod_header and it worked OK - in my .conf file

# Remove the header - no reason to publish it
    Header unset X-Mod-Pagespeed

This is after the ModPageSpeed on (and various other lines) in the specific 
conf for the virtual host, so you may have to do it in this order for it to 
work.

Pete

Original comment by petesto...@gmail.com on 22 Feb 2012 at 7:23

@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Thanks for the tip! FWIW I'm adding a directive that allows you to set the value
of the X-Mod-Pagespeed header, but not delete it because it is required for 
certain
setups (such as Apache with MPS as an origin server fronted by another Apache 
w/ MPS).
If you need it deleted you can use mod_header as described above.

Original comment by matterb...@google.com on 22 Feb 2012 at 8:17

  • Changed state: Started
@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

I've committed a change to allow you set the string after X-Mod-Pagespeed.
The directive is called ModPagespeedXHeaderValue. The value cannot be blank.

You can either build from source or wait for the next binary release.

Original comment by matterb...@google.com on 24 Feb 2012 at 5:51

  • Changed state: Fixed
  • Added labels: release-note
@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Matt can you add doc for this & then close?  Thanks!

Original comment by jmara...@google.com on 23 May 2012 at 2:37

  • Changed state: Started
@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Doc added.

Original comment by matterb...@google.com on 23 May 2012 at 3:40

  • Changed state: Fixed
  • Added labels: Milestone-v22
@GoogleCodeExporter

This comment has been minimized.

GoogleCodeExporter commented Apr 6, 2015

Original comment by jmara...@google.com on 25 May 2012 at 2:39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment