hankknight
asked on
Apache: Remove Server Signature from Headers
I do not want my Apache server to return this header:
Server: Apache/2.2.8 (EL)
I placed this line in my httpd.conf file, but the Server Signature is still passed in a header:
ServerSignature Off
How can I remove that header from my httpd.conf file?
Server: Apache/2.2.8 (EL)
I placed this line in my httpd.conf file, but the Server Signature is still passed in a header:
ServerSignature Off
How can I remove that header from my httpd.conf file?
Try ServerTokens Prod
ASKER
No, that does not work.
It still sends this header:
Server: Apache
Look at the link you sent. It says:
I don't want any Server header to be sent.
It still sends this header:
Server: Apache
Look at the link you sent. It says:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
Server sends (e.g.): Server: Apache
I don't want any Server header to be sent.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is it really impossible to remove the Apache header? Isn't there some sort of module or hack for this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It looks like ModSecurity/SecServerSigna ture could be used to change the server header but not to remove it.
ASKER
Is there any way to do this with mod_headers?
ServerSignature doesn't control the headers. It controls what is added at the bottom of directory listings pages.
I don't recommend removing that header completely (I, for one, like to be able to easily tell what type of web server is being used). However, "Header unset Server" may do what you want.
http://httpd.apache.org/docs/2.1/mod/mod_headers.html#header
http://httpd.apache.org/docs/2.1/mod/core.html#serversignature
I don't recommend removing that header completely (I, for one, like to be able to easily tell what type of web server is being used). However, "Header unset Server" may do what you want.
http://httpd.apache.org/docs/2.1/mod/mod_headers.html#header
http://httpd.apache.org/docs/2.1/mod/core.html#serversignature
ASKER
Kravimir, I guess the Apache httpd server was created by people who share your philosophy.
"Header unset Server" does NOT remove the Server header.
It can be used to remove these headers:
Last-Modified
Etag
But it won't remove the Server header.
"Header unset Server" does NOT remove the Server header.
It can be used to remove these headers:
Last-Modified
Etag
But it won't remove the Server header.
The internet was created mostly by people who didn't have anything to hide. Security concerns over the years have caused people to limit what they reveal. Most websites do list the server they're running on. Notable exceptions are Google and Facebook. Bing only lists some of the servers and Amazon lists some as just 'Server'. Experts Exchange is running "Apache/Coyote" which I think refers to the use of Java and Tomcat.
The more you hide, the more likely people are to wonder what you have to hide.
The more you hide, the more likely people are to wonder what you have to hide.
Why not use ModSecurity and change it to a blank value?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.