Skip to content
This repository

clear yaws version info away from http header #86

ai-quantong opened this Issue · 6 comments

3 participants

ai-quantong Steve Vinoski Claes Wikstrom


I am web-project developer. Recently I am working for the project using yaws as the http server for a bank!

According to security, my customer hope that wo would clear yaws version info away from http header. Sometimes the leak of the info like it can make the system vulnerable to attack. The same as ohter web server(tomcat,weblogic), Yaws should supply some fields to control it in the profile.However, I spend almost one day to find in the profile、instruction even code of Yaws. Unfortunately,I got nothing!

Do I still need to find the fields? Do The Yaws provides the fields?



I know ! Yaws 1.92 can support the fields in the profile. Now, I am busy to update yaws from version 1.88 to version 1.92!

Steve Vinoski

Correct. If you set the server_signature global configuration variable, you can control what is returned in the "Server" HTTP response header.

Steve Vinoski

A commit yesterday also added the ability to set server_signature on a per-virtual-server level as well as at the global level.


As you say, wo can pass the problem like this. But for Yaws-1.88, I had to change the code (yaws_generated.complete),then configure && make again! However I knwow whether this can cause some side effect!

Steve Vinoski

For Yaws 1.88, I recommend just changing the code in src/yaws.erl around line 1364. The code there looks like this:

    ["Server: Yaws/", yaws_generated:version(), " Yet Another Web Server\r\n" |

Change that to:

    ["Server: Yaws (Yet Another Web Server)\r\n" |

or something equally as suitable.

Claes Wikstrom
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.