ServerTokens Prod, ServerSignature Off
By Pete Freitag
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.conf:
ServerSignature Off ServerTokens Prod
The first one,
ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
The second one
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.
Why do this?
I do this for security reasons. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target.
What if I am running IIS?
There are a few different ways to remove the IIS server header that I have outlined in a separate entry.
What if my server header says Apache-Coyote/1.1?
This means that the header is coming from Tomcat, you can edit the value of the server header by editing
server.xml and adding or editing the
server attribute of the
Remove Server Tokens on Nginx
If you are running nginx, you can add the following inside your
http configuration block:
This will prevent nginx from outputting the version number, but it will still report
nginx as the server name.
ServerTokens Prod, ServerSignature Off was first published on July 25, 2005.
If you like reading about security, http, servers, or apache then you might also like:
- HTTP Request Smuggling (HRS)
- Howto restrict what htaccess files can do on Apache
- Apache Security Patches on CentOS / RHEL
- Blocking .svn and .git Directories on Apache or IIS
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).