[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Apache: Remove Server Signature from Headers

Posted on 2011-05-05
13
Medium Priority
?
967 Views
Last Modified: 2012-05-11
I do not want my Apache server to return this header:
Server: Apache/2.2.8 (EL)

I placed this line in my httpd.conf file, but the Server Signature is still passed in a header:
ServerSignature Off

How can I remove that header from my httpd.conf file?
0
Comment
Question by:hankknight
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 16

Expert Comment

by:jessc7
ID: 35702386
Try ServerTokens Prod
0
 
LVL 16

Expert Comment

by:jessc7
ID: 35702391
0
 
LVL 16

Author Comment

by:hankknight
ID: 35702440
No, that does not work.

It still sends this header:
Server: Apache

Look at the link you sent.  It says:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache

I don't want any Server header to be sent.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 664 total points
ID: 35702452
You can remove the version but you can't remove 'Apache'.  Use both:

ServerSignature Off
ServerTokens Prod

See the link above from @jessc7.
0
 
LVL 16

Author Comment

by:hankknight
ID: 35702466
Is it really impossible to remove the Apache header? Isn't there some sort of module or hack for this?
0
 
LVL 16

Accepted Solution

by:
jessc7 earned 672 total points
ID: 35702591
0
 
LVL 16

Author Comment

by:hankknight
ID: 35702863
It looks like ModSecurity/SecServerSignature could be used to change the server header but not to remove it.
0
 
LVL 16

Author Comment

by:hankknight
ID: 35702904
Is there any way to do this with mod_headers?
0
 
LVL 43

Expert Comment

by:David S.
ID: 35702920
ServerSignature doesn't control the headers. It controls what is added at the bottom of directory listings pages.

I don't recommend removing that header completely (I, for one, like to be able to easily tell what type of web server is being used). However, "Header unset Server" may do what you want.

http://httpd.apache.org/docs/2.1/mod/mod_headers.html#header
http://httpd.apache.org/docs/2.1/mod/core.html#serversignature
0
 
LVL 16

Author Comment

by:hankknight
ID: 35703063
Kravimir, I guess the Apache httpd server was created by people who share your philosophy.

"Header unset Server" does NOT remove the Server header.

It can be used to remove these headers:
Last-Modified
Etag

But it won't remove the Server header.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35703169
The internet was created mostly by people who didn't have anything to hide.  Security concerns over the years have caused people to limit what they reveal.  Most websites do list the server they're running on.  Notable exceptions are Google and Facebook.  Bing only lists some of the servers and Amazon lists some as just 'Server'.  Experts Exchange is running "Apache/Coyote" which I think refers to the use of Java and Tomcat.

The more you hide, the more likely people are to wonder what you have to hide.
0
 
LVL 16

Expert Comment

by:jessc7
ID: 35703187
Why not use ModSecurity and change it to a blank value?
0
 
LVL 43

Assisted Solution

by:David S.
David S. earned 664 total points
ID: 35703192
> "Header unset Server" does NOT remove the Server header.

Since that doesn't work for you, the SecServerSignature directive, which jessc7 mentioned, may be the only way to remove it.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secureā€¦
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Suggested Courses
Course of the Month18 days, 14 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question