ServerTokens Prod, ServerSignature Off


I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.conf:

ServerSignature Off
ServerTokens Prod

The first one, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

The second one ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

Why do this?

I do this for security reasons. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target.

What if I am running IIS?

For IIS you can use Microsoft's Free URLScan tool, that latest version of this tool now supports IIS 7.

What if my server header says Apache-Coyote/1.1?

This means that the header is coming from Tomcat, you can edit the value of the server header by editing server.xml and adding or editing the server attribute of the <Connector> tags.

Related Entries

16 people found this page useful, what do you think?


Trackback Address: 419/D2A7903777E601A38B25BD466048A4C1


On 03/28/2011 at 5:53:52 PM UTC Michael Kane wrote:
For Windows servers, is installing UrlScan the only way to address this issue?

On 10/15/2011 at 6:56:27 AM UTC S wrote:
Sadly, these no longer work. I added both into the httpd.conf on Debian Squeeze and OpenVAS reported: Apache Web Server version 2.2.16 was detected on the host.

Have to think of something else :(

On 12/21/2011 at 2:41:29 AM UTC Marcus wrote:
On debian and ubuntu this should be inserted in: /conf.d/security and Apache 2+ works fine thx!

On 04/25/2012 at 9:04:14 AM UTC vaas wrote:
any settings need to alter in urlscan config file after installation?

On 07/17/2012 at 12:17:34 PM UTC 9jaBrozz wrote:
If you use XAMPP (v2.5.8) look for the file named <strong>httpd-default.conf</strong> under \etc\xampp\apache\conf\extra and then make the necessary changes.

I was not able to find this info in the net. Hope it helps someone

On 04/10/2013 at 10:41:37 PM UTC Tanshul Kumar wrote:
Hi Guys,

This is achievable via URLRewrite outbound rule as well for IIS 7.

On 06/18/2013 at 12:54:26 AM UTC charlie arehart wrote:
@vaas, when using URLScan to control this, you would edit the RemoveServerHeader value in the UrlScan.ini file, changing it from the default 0 to 1. Once saved, this change takes effect immediately.

That said, it only affects the Server header, one of two that HackmyCF will detect on a typical IIS-based installation of CF. The other it sees (and will require you to resolve) is the X-Powered-By: ASP.NET header, and Pete shows how to clear that in another technote here,

Post a Comment


Spell Checker by Foundeo

Recent Entries


did you hack my cf?