Hiding software version in any deployment is a basic security practice that we can use to lower the risk of the deployment being breached. In this post, we will see how we can hide the apache httpd version from the http header, and from server generated pages.
To check our header, just use curl. Let's say we have an apache httpd server running on localhost
$ curl --header http://localhost
The version will also showing in the server generated page, like when we tried to access non existent page
$ curl --header http://localhost/error
To hide the version number, we can just add below line into httpd.conf. I usually will put it at the bottom of the configuration file. The location of the httpd.conf will varies depending on how you install httpd. The usual location is at /etc/httpd/conf/httpd.conf:
ServerToken ProdServerSignature Off
"ServerToken Prod" will hide apache httpd version from http header, while "ServerSignature Off" will hide the version from server generated pages.
Example is like below
To make sure that our change is syntax error free, test with "apachectl -t"
Once we are satisfied, restart apache httpd
# systemctl restart httpd
Then, we test it back using curl, and we do not see the version anymore
$ curl --head http://localhost$ curl --head http://localhost/error
No comments:
Post a Comment