Minimise What Apache Reveals In The HTTP Header
From NetworkStuff
The ability to identify or 'fingerprint' the web server and other software (possibly also your operating system) you are running on a server is considered a security risk. This information could be used to research and exploit vulnerabilities in the specific software (and versions of software) identified as running on a server.
To configure Apache to provide the minimum information in the HTTP Server header it sends with every response;
- Edit the Apache configuration file: httpd.conf or apache2.conf, normally found in either the /etc/httpd/conf/ or /etc/apache2/ directory respectively
- Modify the ServerTokens entry to: Prod or ProductOnly
Apache will now populate the Server HTTP header with only 'Apache'
Here's an example of what is returned by this website;
HTTP/1.1 200 OK Date: Wed, 18 Jun 2008 16:14:02 GMT Server: Apache Last-Modified: Fri, 30 Nov 2007 08:17:34 GMT ETag: "b0043ae-262-10098380" Accept-Ranges: bytes Content-Length: 610 Connection: close Content-Type: text/html
Usage Notes
Other options and their typical output are:
- Full - Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server
- OS - Apache/2.2.8 (Ubuntu) Server
- Minimal - Apache/2.2.8 Server
- Minor - Apache/2.2 Server
- Major - Apache/2 Server
Related Articles
See here for information on Minimising What Apache Reveals In Server Generated Pages such as error pages like a 404 page.
For information on preventing PHP inserting the X-Powered-By header altogether, see the Preventing PHP Inserting The X-Powered-By HTTP Header article.
You may be interested in the HTTP Headers Masterclass.
See our other How To articles
Information on Linux commands 
Information on F5 BigIP commands 
Information on Cisco commands 
Information on Vyatta commands 
Information on Extreme commands 
Information on Zebra commands
Information on Secure Platform commands
Information on Blue Coat SGOS commands
Information on Nokia IPSO commands
 We really do appreciate all feedback so please do send your comments, suggestions or corrections to steve#networkstuff.eu (replacing the # with an @)
|
