ServerTokens Prod, ServerSignature Off
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.conf:
ServerSignature Off ServerTokens Prod
The first one, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
The second one ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.
Why do this?
I do this for security reasons. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target.
What if I am running IIS?
For IIS you can use Microsoft's Free URLScan tool, that latest version of this tool now supports IIS 7.
Tweet
add to del.icio.usRelated Entries
- HTTP Request Smuggling (HRS) - June 10, 2005
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
- HTTP Strict Transport Security - September 17, 2010
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only - August 20, 2009
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
Trackbacks
Comments
Have to think of something else :(
Post a Comment
Recent Entries
- Nginx redirect www to non www domain
- HashDOS and ColdFusion
- HackMyCF Updated for APSB11-29 Security Hotfix
- Adobe eSeminar on FuseGuard
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- Adding Two Factor Authentication to ColdFusion Administrator
- ColdFusion Developer Week at Adobe.com
- Bug Loading Scripts for CFFileUpload and CFMediaPlayer
