Pete Freitag Pete Freitag

Apache ServerTokens Prod, ServerSignature Off

Updated on August 29, 2024
By Pete Freitag
web

One of the first things I do when I setup an Apache web server is add or edit the ServerTokens and ServerSignature directives in my httpd.conf:

ServerTokens Prod
ServerSignature Off

What are Apache ServerTokens?

The ServerTokens directive controls what Apache will return in the Server HTTP response header, which is returned on every page.

By setting ServerTokens Prod we are telling apache to only return Apache in the Server header. For example:

Server: Apache

Here is a list of all the supported values for the ServerTokens directive:

  • ServerTokens Full - returns as much info as possible including version numbers of things like PHP or certain modules. Avoid setting ServerTokens to full!
  • ServerTokens Major - places the major version in the server header, eg: Apache/2
  • ServerTokens Minor - places the major and minor version in the server header, eg: Apache/2.4
  • ServerTokens Min or ServerTokens Minimal - returns the full Apache version number in the server header, eg: Apache/2.4.62
  • ServerTokens OS - returns the full Apache version number and the OS name, eg: Apache/2.4.62 (Ubuntu) - this one is often the default on popular linux distributions because they want to advertise their brand as much as possible.
  • ServerTokens Prod or ServerTokens ProductOnly - Only returns the server product name Apache - this is the one I recommend using.

What is an Apache ServerSignature?

The second directive, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

The ServerSignature is typically placed in the footer of things like the default 404 error page, or a directory listing if you have Options Indexes turned on.

The possible values for ServerSignature are:

  • ServerSignature On - Shows the signature containing the apache version number.
  • ServerSignature Off - Does not show the server version on the footer of error pages or directory listing pages.
  • ServerSignature EMail - Shows the email address specified in the ServerAdmin directive

Why change ServerTokens and ServerSignature?

I do this for security reasons. It's not a good idea to broadcast the versions of software that you are running. While it doesn't make your server any more secure, it may make you less of a target. For example, assume you are running Apache 2.4.52, and your server is happily reporting that. Now an attacker can browse apache http server vulnerabilities to find one that your version is vulnerable to (for example CVE-2022-22720). So unless you like giving attackers an advantage, it makes sense to hide this. Of course you should also update that old version of Apache!

Other Web Servers

Most web servers have a similar function to ServerTokens and ServerSignature, here's some info to point you in the right direction.

ServerTokens on IIS

There are a few different ways to remove the IIS server header that I have outlined in a separate entry.

Apache Tomcat

If your server header says Apache-Coyote/1.1 this means that the header is coming from Tomcat. You can edit the value of the server header by editing server.xml and adding or editing the server attribute of the <Connector> tags.

Remove Server Tokens on Nginx

If you are running nginx, you can add the following inside your http configuration block:

server_tokens off;

This will prevent nginx from outputting the version number, but it will still report nginx as the server name.



security http servers apache

Apache ServerTokens Prod, ServerSignature Off was first published on July 25, 2005.

If you like reading about security, http, servers, or apache then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

For Windows servers, is installing UrlScan the only way to address this issue?
by Michael Kane on 03/28/2011 at 5:53:52 PM UTC
Sadly, these no longer work. I added both into the httpd.conf on Debian Squeeze and OpenVAS reported:
Apache Web Server version 2.2.16 was detected on the host.

Have to think of something else :(
by S on 10/15/2011 at 6:56:27 AM UTC
Hi Guys,

This is achievable via URLRewrite outbound rule as well for IIS 7.

http://blogs.msdn.com/b/benjaminperkins/archive/2012/11/02/change-or-modify-a-response-header-value-using-url-rewrite.aspx
by Tanshul Kumar on 04/10/2013 at 10:41:37 PM UTC
@vaas, when using URLScan to control this, you would edit the RemoveServerHeader value in the UrlScan.ini file, changing it from the default 0 to 1. Once saved, this change takes effect immediately.

That said, it only affects the Server header, one of two that HackmyCF will detect on a typical IIS-based installation of CF. The other it sees (and will require you to resolve) is the X-Powered-By: ASP.NET header, and Pete shows how to clear that in another technote here, http://www.petefreitag.com/item/722.cfm.
by charlie arehart on 06/18/2013 at 12:54:26 AM UTC
IIS URL rewrite and Helicon ISAPI rewrite do not work well together. We had hundreds of app. pool errors in the windows event logs.
by J on 05/11/2016 at 7:31:30 PM UTC