Tuesday, December 3, 2013

How to hide web server version from appearing in http header

For apache, just add below lines into /etc/apache2/apache2.conf:

ServerTokens Prod

ServerSignature Off

where ServerTokens controls what kind of information being sent to the header. Options available for ServerTokens are(from apache docs):

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

while ServerSignature is to allow configuration of a trailing footer line under server generated documents, such as error messages and mod_proxy ftp directory listings. Putting it to off will suppress the footer line.

Once added, restart or reload apache to activate the changes.
# /etc/init.d/apache2 restart

For nginx, add below line into your /etc/nginx/nginx.conf:

server_tokens off

where this line of config will hide your nginx version number. Do not forget to restart or reload nginx, for the change to take effect.
# /etc/init.t/nginx restart

To check for the header, you can use curl:

curl -I www.foo.net

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Apache/2.2.15 (Red Hat)

where -I is for curl to grab just the http header.

No comments: