Hello
We're received the notice that our server is not an apache server. I knew exactly why this is, and could fix it. However i prefer to replace the "Server" header (and thereby the $_SERVER['SERVER_SOFTWARE'] variable) to let a potential attacker think that it in fact is not an apache server.
We're using mod_security to detect potential attacks, and allow those potential attacks to be automagicly blocked on the firewall.
We've had a problem before with this module in combination with vBSEO, which was that post requests didn't got passed on..
With vBSEO it means mod_security can not do it's job to it's full potential. Which is pretty unfortunate, imho.
I am wondering if anyone knows if there is an alternate detection method for detecting IIS or Apache? (and if so, could this be moved into feature requests to replace the current detection method?)
All i can think of at the moment is detection of default modules inside apache or IIS, or perhaps detection of files on the system (provided that the webserver in question can access them). However i have not tested any of these theories, yet.
regards,
xb_







