Apache: Remove Server Signature from Headers

I do not want my Apache server to return this header:
Server: Apache/2.2.8 (EL)

I placed this line in my httpd.conf file, but the Server Signature is still passed in a header:
ServerSignature Off

How can I remove that header from my httpd.conf file?
LVL 16
hankknightAsked:
Who is Participating?
 
jessc7Commented:
Try ServerTokens Prod
0
 
jessc7Commented:
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
hankknightAuthor Commented:
No, that does not work.

It still sends this header:
Server: Apache

Look at the link you sent.  It says:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache

I don't want any Server header to be sent.
0
 
Dave BaldwinFixer of ProblemsCommented:
You can remove the version but you can't remove 'Apache'.  Use both:

ServerSignature Off
ServerTokens Prod

See the link above from @jessc7.
0
 
hankknightAuthor Commented:
Is it really impossible to remove the Apache header? Isn't there some sort of module or hack for this?
0
 
hankknightAuthor Commented:
It looks like ModSecurity/SecServerSignature could be used to change the server header but not to remove it.
0
 
hankknightAuthor Commented:
Is there any way to do this with mod_headers?
0
 
David S.Commented:
ServerSignature doesn't control the headers. It controls what is added at the bottom of directory listings pages.

I don't recommend removing that header completely (I, for one, like to be able to easily tell what type of web server is being used). However, "Header unset Server" may do what you want.

http://httpd.apache.org/docs/2.1/mod/mod_headers.html#header
http://httpd.apache.org/docs/2.1/mod/core.html#serversignature
0
 
hankknightAuthor Commented:
Kravimir, I guess the Apache httpd server was created by people who share your philosophy.

"Header unset Server" does NOT remove the Server header.

It can be used to remove these headers:
Last-Modified
Etag

But it won't remove the Server header.
0
 
Dave BaldwinFixer of ProblemsCommented:
The internet was created mostly by people who didn't have anything to hide.  Security concerns over the years have caused people to limit what they reveal.  Most websites do list the server they're running on.  Notable exceptions are Google and Facebook.  Bing only lists some of the servers and Amazon lists some as just 'Server'.  Experts Exchange is running "Apache/Coyote" which I think refers to the use of Java and Tomcat.

The more you hide, the more likely people are to wonder what you have to hide.
0
 
jessc7Commented:
Why not use ModSecurity and change it to a blank value?
0
 
David S.Commented:
> "Header unset Server" does NOT remove the Server header.

Since that doesn't work for you, the SecServerSignature directive, which jessc7 mentioned, may be the only way to remove it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.