[wp-trac] [WordPress Trac] #36486: is_apache in vars.php does not always work
WordPress Trac
noreply at wordpress.org
Wed Jul 31 18:20:32 UTC 2024
#36486: is_apache in vars.php does not always work
---------------------------+------------------------------
Reporter: amandato | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Rewrite Rules | Version: 4.4.2
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
---------------------------+------------------------------
Comment (by crobbinsdg):
I've encountered instances where the Server header lacks explicit mention
of Apache or LiteSpeed. It's worth noting that as of 2024, it is common
to see the Server header removed as a security best practice or changed
through popular proxy cache services.
The OWASP Secure Headers Project explicitly advises removing the Server
header to minimize potential information disclosure.
https://owasp.org/www-project-secure-headers/#prevent-information-
disclosure-via-http-headers
Cloudflare's widely used proxy cache service defaults to replacing the
Server header value with "cloudflare".
In my experience, numerous WordPress security and caching plugins rely on
variables such as $is_apache, $is_nginx, $is_IIS, and $is_iis7 to
determine how to configure their features.
If better defining these variables proves challenging, a potential
solution could involve providing more formal ways for developers to
explicitly define their environment. This could be achieved through
methods like wp-config definitions, offering an alternative way to convey
this critical information.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36486#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list