Controlling HTTP Headers

You might be getting a little concerned about information that your web server is making available to the rest of the world. In the case of Apache, you limit the information contained in the Server header line by configuring the ServerTokens directive with the appropriate keyword. There are four possible options:

ServerTokens Full

This returns the server type and version, the type of operating system, and information on supporting software, with their version numbers. For example:

    Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.12
    OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26

ServerTokens OS

This returns the server type and version, and the type of operating system. For example:

    Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux)

ServerTokens Minimal

This returns the server type and version. For example:

    Server: Apache/1.3.27

ServerTokens ProductOnly

This returns only the server type. For example:

    Server: Apache

The default Apache configuration file does not include this directive, not even commented out like many other directives. Its absence has the same effect as ServerTokens Full, meaning that the maximum amount of information is revealed.

You can correct this easily by adding the directive anywhere in the main section of the file. Note that you can only have a single directive, which applies to the entire server, across all virtual hosts. My preference is for the OS option, which tells the world something about my site, without revealing possible vulnerabilities. ...

Get Internet Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Internet Forensics by Robert Jones

Controlling HTTP Headers

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly