[wp-trac] [WordPress Trac] #36486: is_apache in vars.php does not always work

WordPress Trac noreply at wordpress.org
Wed Jul 31 18:20:32 UTC 2024


#36486: is_apache in vars.php does not always work
---------------------------+------------------------------
 Reporter:  amandato       |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Rewrite Rules  |     Version:  4.4.2
 Severity:  normal         |  Resolution:
 Keywords:  has-patch      |     Focuses:
---------------------------+------------------------------

Comment (by crobbinsdg):

 I've encountered instances where the Server header lacks explicit mention
 of Apache or LiteSpeed.  It's worth noting that as of 2024, it is common
 to see the Server header removed as a security best practice or changed
 through popular proxy cache services.

 The OWASP Secure Headers Project explicitly advises removing the Server
 header to minimize potential information disclosure.
 https://owasp.org/www-project-secure-headers/#prevent-information-
 disclosure-via-http-headers

 Cloudflare's widely used proxy cache service defaults to replacing the
 Server header value with "cloudflare".

 In my experience, numerous WordPress security and caching plugins rely on
 variables such as $is_apache, $is_nginx, $is_IIS, and $is_iis7 to
 determine how to configure their features.

 If better defining these variables proves challenging, a potential
 solution could involve providing more formal ways for developers to
 explicitly define their environment. This could be achieved through
 methods like wp-config definitions, offering an alternative way to convey
 this critical information.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/36486#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list