Omit User-Agent: header by default

The User-Agent: header can be fun and interesting and useful for
debugging, but it also leaks quite a bit of information about the user
and their software stack.

This represents a potential security risk (attackers can target the
particular stack) and also an anonymity risk (a user trying to
preserve their anonymity by sending mail from a non-associated account
might reveal quite a lot of information if their choice of mail user
agent is exposed).

Users who want to configure `user_agent` to `yes` can still do so, but
it makes sense to have safer defaults.

Co-authored-by: Richard Russon <rich@flatcap.org>

diff --git a/init.h b/init.h
index 5402c519fb4de4b511da90e000849cee97c9e177..fd060f85d5eb385070b0cf643b675f06bcda627c 100644 (file)
--- a/init.h
+++ b/init.h
@@ -4702,7 +4702,7 @@ struct ConfigDef MuttVars[] = {
   ** Normally, the default should work.
   */
 #endif /* HAVE_GETADDRINFO */
-  { "user_agent", DT_BOOL, &C_UserAgent, true },
+  { "user_agent", DT_BOOL, &C_UserAgent, false },
   /*
   ** .pp
   ** When \fIset\fP, NeoMutt will add a "User-Agent:" header to outgoing