Apache ServerTokens Prod, ServerSignature Off

One of the first things I do when I setup an Apache web server is add or edit the ServerTokens and ServerSignature directives in my httpd.conf:

ServerTokens Prod
ServerSignature Off

What are Apache ServerTokens?

The ServerTokens directive controls what Apache will return in the Server HTTP response header, which is returned on every page.

By setting ServerTokens Prod we are telling apache to only return Apache in the Server header. For example:

Server: Apache

Here is a list of all the supported values for the ServerTokens directive:

• ServerTokens Full - returns as much info as possible including version numbers of things like PHP or certain modules. Avoid setting ServerTokens to full!
• ServerTokens Major - places the major version in the server header, eg: Apache/2
• ServerTokens Minor - places the major and minor version in the server header, eg: Apache/2.4
• ServerTokens Min or ServerTokens Minimal - returns the full Apache version number in the server header, eg: Apache/2.4.62
• ServerTokens OS - returns the full Apache version number and the OS name, eg: Apache/2.4.62 (Ubuntu) - this one is often the default on popular linux distributions because they want to advertise their brand as much as possible.
• ServerTokens Prod or ServerTokens ProductOnly - Only returns the server product name Apache - this is the one I recommend using.

What is an Apache ServerSignature?

The second directive, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

The ServerSignature is typically placed in the footer of things like the default 404 error page, or a directory listing if you have Options Indexes turned on.

The possible values for ServerSignature are:

• ServerSignature On - Shows the signature containing the apache version number.
• ServerSignature Off - Does not show the server version on the footer of error pages or directory listing pages.
• ServerSignature EMail - Shows the email address specified in the ServerAdmin directive

Why change ServerTokens and ServerSignature?

I do this for security reasons. It's not a good idea to broadcast the versions of software that you are running. While it doesn't make your server any more secure, it may make you less of a target. For example, assume you are running Apache 2.4.52, and your server is happily reporting that. Now an attacker can browse apache http server vulnerabilities to find one that your version is vulnerable to (for example CVE-2022-22720). So unless you like giving attackers an advantage, it makes sense to hide this. Of course you should also update that old version of Apache!

Other Web Servers

Most web servers have a similar function to ServerTokens and ServerSignature, here's some info to point you in the right direction.

ServerTokens on IIS

There are a few different ways to remove the IIS server header that I have outlined in a separate entry.

Apache Tomcat

If your server header says Apache-Coyote/1.1 this means that the header is coming from Tomcat. You can edit the value of the server header by editing server.xml and adding or editing the server attribute of the <Connector> tags.

Remove Server Tokens on Nginx

If you are running nginx, you can add the following inside your http configuration block:

server_tokens off;

This will prevent nginx from outputting the version number, but it will still report nginx as the server name.