Controlling HTTP Headers
You might be getting a little concerned about information that
your web server is making available to the rest of the world. In the
case of Apache, you limit the information contained in the Server
header line by configuring the ServerTokens
directive with the appropriate
keyword. There are four possible options:
ServerTokens Full
This returns the server type and version, the type of operating system, and information on supporting software, with their version numbers. For example:
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
ServerTokens OS
This returns the server type and version, and the type of operating system. For example:
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
ServerTokens Minimal
This returns the server type and version. For example:
Server: Apache/1.3.27
ServerTokens ProductOnly
This returns only the server type. For example:
Server: Apache
The default Apache configuration file does not include this
directive, not even commented out like many other directives. Its
absence has the same effect as ServerTokens
Full
, meaning that the maximum amount of information is
revealed.
You can correct this easily by adding the directive anywhere in
the main section of the file. Note that you can only have a single
directive, which applies to the entire server, across all virtual hosts.
My preference is for the OS
option, which tells the world something about my site, without revealing possible vulnerabilities. ...
Get Internet Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.