https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #9 from Mark Thomas <ma...@apache.org> --- I remain unconvinced that there are any real world security benefits to be gained by removing the security header. The bandwidth argument carries slightly more weight but we are only talking 27 bytes per response and most responses will dwarf that by at least several orders of magnitude. Add HTTP/2 to the mix and those 27 bytes will quickly shrink. If we do anything at all, I am leaning towards completely removing all Server header processing (all ~15 lines of code of it) and let applications add it if they wish. Users wanting to provide useful server version information via configuration can enable the X-Powered-By header. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
