Tuesday, May 16, 2023

Hide Apache Httpd Version in HTTP Header

Hiding software version in any deployment is a basic security practice that we can use to lower the risk of the deployment being breached. In this post, we will see how we can hide the apache httpd version from the http header, and from server generated pages.

To check our header, just use curl. Let's say we have an apache httpd server running on localhost
$ curl --header http://localhost

The version will also showing in the server generated page, like when we tried to access non existent page
$ curl --header http://localhost/error

To hide the version number, we can just add below line into httpd.conf. I usually will put it at the bottom of the configuration file. The location of the httpd.conf will varies depending on how you install httpd. The usual location is at /etc/httpd/conf/httpd.conf:
ServerToken Prod
ServerSignature Off

"ServerToken Prod" will hide apache httpd version from http header, while "ServerSignature Off" will hide the version from server generated pages.

Example is like below

To make sure that our change is syntax error free, test with "apachectl -t"

Once we are satisfied, restart apache httpd
# systemctl restart httpd

Then, we test it back using curl, and we do not see the version anymore
$ curl --head http://localhost
$ curl --head http://localhost/error

No comments: