General discussion


Web Server hardening question: Is masking the favicon overkill?

By robo_dev ·
I've got Sun web server that's been hardened according to NIST and Sun guidelines, the http headers are masked, etc, etc.

But one tiny little item remains: the favicon.

In this case it's a Sun box, so the favicon shows up as the little Sun logo. The logo is a little PNG file on the server and it's just a static element (no script is used to render it).

I know the mantra of security is 'if people don't think you're too paranoid, you're not paranoid enough'.....

Is killing the favicon overkill? As-is, the server is very difficult to fingerprint, but of course the favicon gives away the vendor.

Since Sun has a reasonably good reputation for security, is throwing out the hint that it's a Sun box an entirely bad thing?? What about a misleading favicon like the Microsoft logo?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums