Hello!
Basically my question is the same as the subject of this thread, does it make sense to hide user agent information in order to enforce security on any given system?
I looked for a similar topic on the forum but found nothing.
I am asking this since the rule is: more disclosed information means a bigger risk.
Thank you in advance and have a nice day! ;-)

P.S. Sorry if my english in not verry good. :-)

the user agent is the browser, not the server. You wouldn't mess with that on the server side. Maybe you're referring the the "X-powered-by" or "Server" headers?

I see it as a case of the proverbial, "Anything you say, can and will be used against you". Knowing version information might make it easier to target an exploit at you, however, not disclosing the version information won't preclude you from being exploited either. In other words, focus on securing your server, not hiding information about it.

You *can* hide the user agent string but whether is is of much benefit to do so from a security standpoint is deebateable. You can determine the browser a person is using (within reasonable estimates if no always exactly) by other means. WHat langauges does it support, does it accept activeeX, does it sue javascript (if it does it will reveal a LOT more info), does it accept plugins, which ones are isntalled, etc.

There is a website that does a browser fingerprinting demo that can be a real eye opener. https://panopticlick.eff.org/

For more info on browser fingerprinting just do a web search for the term.

You also may face problems on those websites that are still mired in the 90's that do browser sniffing to display targeted content to different browsers.

Whether you feel it is worth while is up to you. For myself I don't bother too much.