ServerTokens Prod, ServerSignature Off
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.conf:
ServerSignature Off ServerTokens Prod
The first one,
ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
The second one
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.
Why do this?
I do this for security reasons. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target.
What if I am running IIS?
For IIS you can use Microsoft's Free URLScan tool, that latest version of this tool now supports IIS 7.
What if my server header says Apache-Coyote/1.1?
This means that the header is coming from Tomcat, you can edit the value of the server header by editing
server.xml and adding or editing the
server attribute of the
- HTTP Request Smuggling (HRS) - June 10, 2005
- Apache Security Patches on CentOS / RHEL - November 22, 2013
- Blocking .svn and .git Directories on Apache or IIS - October 15, 2013
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
- HTTP Strict Transport Security - September 17, 2010
- Apache Webserver: Signatur unterdrücken Undertec Blog
- Using Mozilla's Certificate Authority List for Java SSL
- SessionRotate solution for JEE Sessions
- False TemplateNotFoundException ColdFusion 9
- ColdFusion defaults avoid flawed Random Number Generator
- Apache Security Patches on CentOS / RHEL
- FuseGuard 2.4 Released
- New HackMyCF Features
- Blocking .svn and .git Directories on Apache or IIS