https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #16 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Mark Thomas from comment #9) > I remain unconvinced that there are any real world security benefits to be > gained by removing the security header. Agreed. > The bandwidth argument carries slightly more weight but we are only talking > 27 bytes per response and most responses will dwarf that by at least several > orders of magnitude. Add HTTP/2 to the mix and those 27 bytes will quickly > shrink. While the bytes shrink, the CPU still gets wasted to shrink them. An even better argument *for* a configurable parameter might be HTTP spec. Section 15.1.2 of RFC 2616 pretty much says flat-out that servers SHOULD make the Server header a configurable option. But, RFC 7231 says nothing similar so I'd call it a draw from a spec perspective. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
