Apache ServerTokens Prod, ServerSignature Off
By Pete Freitag
One of the first things I do when I setup an Apache web server is add or edit the ServerTokens
and ServerSignature
directives in my httpd.conf:
ServerTokens Prod ServerSignature Off
What are Apache ServerTokens?
The ServerTokens
directive controls what Apache will return in the Server
HTTP response header, which is returned on every page.
By setting ServerTokens Prod
we are telling apache to only return Apache in the Server header. For example:
Server: Apache
Here is a list of all the supported values for the ServerTokens directive:
ServerTokens Full
- returns as much info as possible including version numbers of things like PHP or certain modules. Avoid setting ServerTokens to full!ServerTokens Major
- places the major version in the server header, eg:Apache/2
ServerTokens Minor
- places the major and minor version in the server header, eg:Apache/2.4
ServerTokens Min
orServerTokens Minimal
- returns the full Apache version number in the server header, eg:Apache/2.4.62
ServerTokens OS
- returns the full Apache version number and the OS name, eg:Apache/2.4.62 (Ubuntu)
- this one is often the default on popular linux distributions because they want to advertise their brand as much as possible.ServerTokens Prod
orServerTokens ProductOnly
- Only returns the server product nameApache
- this is the one I recommend using.
What is an Apache ServerSignature?
The second directive, ServerSignature Off
tells apache not to display the server version on error pages, or other pages it generates.
The ServerSignature is typically placed in the footer of things like the default 404 error page, or a directory listing if you have Options Indexes
turned on.
The possible values for ServerSignature are:
ServerSignature On
- Shows the signature containing the apache version number.ServerSignature Off
- Does not show the server version on the footer of error pages or directory listing pages.ServerSignature EMail
- Shows the email address specified in theServerAdmin
directive
Why change ServerTokens and ServerSignature?
I do this for security reasons. It's not a good idea to broadcast the versions of software that you are running. While it doesn't make your server any more secure, it may make you less of a target. For example, assume you are running Apache 2.4.52, and your server is happily reporting that. Now an attacker can browse apache http server vulnerabilities to find one that your version is vulnerable to (for example CVE-2022-22720). So unless you like giving attackers an advantage, it makes sense to hide this. Of course you should also update that old version of Apache!
Other Web Servers
Most web servers have a similar function to ServerTokens
and ServerSignature
, here's some info to point you in the right direction.
ServerTokens on IIS
There are a few different ways to remove the IIS server header that I have outlined in a separate entry.
Apache Tomcat
If your server header says Apache-Coyote/1.1
this means that the header is coming from Tomcat. You can edit the value of the server header by editing server.xml
and adding or editing the server
attribute of the <Connector>
tags.
Remove Server Tokens on Nginx
If you are running nginx, you can add the following inside your http
configuration block:
server_tokens off;
This will prevent nginx from outputting the version number, but it will still report nginx
as the server name.
Apache ServerTokens Prod, ServerSignature Off was first published on July 25, 2005.
If you like reading about security, http, servers, or apache then you might also like:
- HTTP Request Smuggling (HRS)
- Limiting what htaccess files can do in Apache
- Apache Security Patches on CentOS / RHEL
- Blocking .svn and .git Directories on Apache or IIS
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).
Comments
Apache Web Server version 2.2.16 was detected on the host.
Have to think of something else :(
This is achievable via URLRewrite outbound rule as well for IIS 7.
http://blogs.msdn.com/b/benjaminperkins/archive/2012/11/02/change-or-modify-a-response-header-value-using-url-rewrite.aspx
That said, it only affects the Server header, one of two that HackmyCF will detect on a typical IIS-based installation of CF. The other it sees (and will require you to resolve) is the X-Powered-By: ASP.NET header, and Pete shows how to clear that in another technote here, http://www.petefreitag.com/item/722.cfm.