Improve Apache Web Server Security: Use ServerTokens and ServerSignature to Disable Header

When Apache HTTPD web server generates any web pages or error pages, some important information about the version and other details implemented on the system are displayed in th web site server header. For example, the information text may be like this:

Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b

Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80


The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.

To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

  1. Login as root user or perform a sudo to the web server.
  2. Open and edit httpd.conf or apache2.conf (in Apache 2) with vi or other text editor. The Apache configuration normally located in /etc/httpd/conf/ or /etc/apache2/ or /etc/apache/ (for Apache1.3) depending on which Unix you’re using.
  3. Locate the line with ServerTokens. You can perform a search by typing “/ServerTokes” and hit Enter.
  4. In Apache 1.3, you will likely to see a line starts with #ServerTokes Full In this case, remove or delete the # character (by pressing d key). Also modify the Full to become Prod (press r key to replace one character, or R to replace multiple characters), so that the line becomes ServerTokens Prod. In Apache 2.0 or 2.2, the line normally does not exist. So the search will fail. In this case, go to the bottom of config file, and add the new line with the following text. You can add new line by pressing o key.

    ServerTokens Prod

  5. Next, search for ServerSignature. In Apache13, the line should just above the line of ServerTokens. Edit the line so that it looks like this, and in Apache2 which doesn’t already have this line, add in at new one.

    ServerSignature Off

  6. By now the Apache configuration file should have this two directives set as below:

    ServerSignature Off
    ServerTokens Prod

    The first line “ServerSignature Off” instructs Apache not to display a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, and etc) which displays server version number, ServerName of the serving virtual host, email setting, and creates a “mailto:” reference to the ServerAdmin of the referenced document.

    The second line “ServerTokens Prod” configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

  7. Save and close the config file by pressing Shift-Colon, and then type wq keys, and hit Enter.
  8. Restart Apache. Typical command is service httpd restart or /etc/init.d/apache2 restart.
  9. Now, you will get only the Apache in the server response header:

    Server: Apache


This entry was posted on Sunday, July 22nd, 2007 at 3:31 am and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Improve Apache Web Server Security: Use ServerTokens and ServerSignature to Disable Header”

  1. Leonid
    November 17th, 2008 14:58
    2

    Many thanks, i have been using the ServerSignature Off for long time now, but the second one is quite new.

    Do you know how you can actually edit the serversignature so you will decide which information to send in case of an error?

  2. Nilesh
    October 24th, 2008 17:00
    1

    It’s really useful article to secure your dedicated web servers. The information provided is easy to make changes on the server.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to comments feature has been disabled. To receive notification of latest comments posted, subscribe to My Digital Life Comments RSS feed or register to receive new comments in daily email digest.
« Virus via Greeting Card Notice – Another New Trick from Spammers
Samsung SCH-B750 Cellphone With UCC (User Created Content) »

Custom Search

New Articles

Incoming Search Terms for the Article

apache ServerTokens - ServerTokens Prod - ServerTokens apache - apache2 ServerTokens - apache servertokens off - serverTokens - apache server tokens - apache remove server header - apache ServerToken - apache server signature off - apache disable server header - ServerSignature Off - httpd.conf servertokens - php disable server version - apache ServerTokens custom - ServerTokens apache 2.2 - apache disable server signature - disable ServerTokens - turn off apache header - apache signature off - httpd.conf serversignature - apache custom servertokens - apache2 servertokens prod - apache ServerSignature Off - apache disable server info - Server tokens - disable apache server info - disable apache signature - serverToken apache - set server token in apache - disable server header apache - ServerTokens ProductOnly - set servertokens prod - "Apache Web server ServerTokens has not been set", tomcat - apache ServerTokens Full - custom ServerTokens - servertokens off - apache turn off server signature - apache servertokens prod - customize apache2 serversignature - improve apache security - ServerSignature On not found apache2 - apache disable server-info - serversignature off apache - remove server header - apache change server header - disabling tomcat server tokens - +Apache +ServerTokens - apache 2.2 serversignature - apache -