ServerTokens Prod, ServerSignature Off
I tend to forget the syntax every time, but one of the first things I do when I setup an Apache web server is add/edit these two directive in my httpd.conf:
ServerSignature Off ServerTokens Prod
The first one,
ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
The second one
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.
Why do this?
I do this for security reasons. Its not a good idea to broadcast the versions of software your running. While it doesn't make your server any more secure, it may make you less of a target.
What if I am running IIS?
On IIS the
Server header does not give as much version detail as Apache, but it can let someone know what primary OS version you are running (eg Windows 2008, 2012, 2012 r2, etc).
One popular way to resolve this is to use the Microsoft URL Rewrite Module to create an outbound rule to rewrite the
Server header to a value of your choosing. Hat tip goes to Herman Zindler for posting the outbound rule configuration in the comments:
Matching scope: Server Variable Variable name: RESPONSE_Server Variable value: Matches the Pattern Using: Regular Expressions Pattern: .* Action type: Rewrite Value: Whatever you want your server header to be.
Another option for IIS 7-8.5 is the StripHeaders IIS module. This option may potentially be more performant than using Url Rewrite (though I haven't tested that claim). You can find the source code here, and binaries here.
For older versions of IIS you can use Microsoft's Free URLScan tool, the latest version of this tool only supports up to IIS 7 (though it may still work on later versions, it is basically abandonware at this point).
What if my server header says Apache-Coyote/1.1?
This means that the header is coming from Tomcat, you can edit the value of the server header by editing
server.xml and adding or editing the
server attribute of the
- HTTP Request Smuggling (HRS) - June 10, 2005
- Apache Security Patches on CentOS / RHEL - November 22, 2013
- Blocking .svn and .git Directories on Apache or IIS - October 15, 2013
- Changing the ColdFusion CFIDE Scripts Location - January 10, 2011
- HTTP Strict Transport Security - September 17, 2010
- Apache Webserver: Signatur unterdrücken Undertec Blog
Apache Web Server version 2.2.16 was detected on the host.
Have to think of something else :(
and Apache 2+
works fine thx!
I was not able to find this info in the net. Hope it helps someone
This is achievable via URLRewrite outbound rule as well for IIS 7.
That said, it only affects the Server header, one of two that HackmyCF will detect on a typical IIS-based installation of CF. The other it sees (and will require you to resolve) is the X-Powered-By: ASP.NET header, and Pete shows how to clear that in another technote here, http://www.petefreitag.com/item/722.cfm.
You'll want to use it to create a new outbound rule with the following configuration:
Matching scope: Server Variable
Variable name: RESPONSE_Server
Variable value: Matches the Pattern
Using: Regular Expressions
Action type: Rewrite
Value: Whatever you want your server header to be.
Hope that helps.
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained