All,

I've been looking at using Pound for an web based mapping application

where we must use a server farm of MS IIS 6.0 on the back-end :o(

One of the things we need to do is to 'anonymise' the server's HTTP

headers, it would be "really good(tm)" if we could manipulate the out

bound HTTP headers by deleting them, adding new ones or replacing

them... using something like:

HeaderDelete: <name>

HeaderAdd: <name> <value>

HeaderReplace: <name> <new-value>

So we would manipulate a typical IIS response:

    HTTP/1.1 200 OK
    Connection: close
    Date: Sat, 19 Nov 2005 17:24:53 GMT
    Server: Microsoft-IIS/6.0
    P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 22171

with configuration commands like:

HeaderDelete: Connection

HeaderReplace: Server NutScrape/3.1415/CPM-2.2

HeaderDelete: P3P

HeaderReplace: X-Powered-By Zilog-Z80

HeaderDelete: X-AspNet-Version

HeaderAdd: X-Organization Bill Gates Fan Club

HeaderDelete: Cache-Control

making the HTTP headers sent back to the client read like this:

    HTTP/1.1 200 OK
    Date: Sat, 19 Nov 2005 17:24:53 GMT
    Server: NutScrape/3.1415/CPM-2.2
    X-Powered-By: Zilog-Z80

    X-Organization: Bill Gates Fan Club
    Content-Type: text/html; charset=utf-8
    Content-Length: 22171

Clearly this could be used in such a way that it would break clients and sites (if

misused or misunderstood) but it would be powerful for hiding the true identity of

the server technology behind Pound (ie. 'cloaking' the server) -- in some cases this

may improve security (by deflecting certain types of attack) and allow sites to be

anonymous for example when scanned by Netcraftfor server type, etc.

Any thoughts?

Mike