Masking your Apache information with ServerTokens

Phil Smith — Sun, 10 Jan 2010 13:20:53 +0000

If you want to give away less information about your current version of Apache, then you can use the ServerTokens directive in the config file (httpd.conf). The recommended one for Production servers is ‘Prod’, which will only tell people you are running Apache. Others as you can see give more information about versions and O/S which may make it easier for attackers.

Your httpd.conf file should look something like this:

#
# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS

Change it to look like this

#
# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens Prod

ServerTokens

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.):
Server:       Apache

ServerTokens Min[imal]
Server sends (e.g.):
Server:       Apache/1.3.0

ServerTokens OS
Server sends (e.g.):
Server: Apache/1.3.0       (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.):
Server: Apache/1.3.0       (Unix) PHP/3.0 MyMod/1.2

Notes

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12

Marketgrid Consulting Blog » Production

Masking your Apache information with ServerTokens

ServerTokens

Notes