By default, Apache proudly tells everyone that it is your web server, along with such specifics as exactly which version you are using and even the versions of the individual modules. As friendly as this is, it's not particularly secure. So how do you get it to be a little less forthcoming with this information?

HTTP response headers

The HTTP headers are a good place to start. Every time someone asks your server for a file, they get these headers back first, including one identifying the server. This will say something like Apache/1.3.29 (Unix), or, even worse, Server: Apache/1.3.29 (Unix) mod_gzip/ mod_perl/1.29. Thankfully, changing the server header to something a bit more subtle is pretty easy. Just slip the following line into your httpd.conf file:

ServerTokens Prod

This replaces the detailed information with a simple Server: Apache.

Error responses

The other place where Apache tends to divulge too much information is the footer of error responses, such as the dreaded 404 page. You can turn off the footer from .htaccess, so even if you don't have access to httpd.conf you can still turn it off for your own website. If you do have access to httpd.conf, it's probably a good idea to turn it off there, so that the change is global. Again, only one line needs to be added:

ServerSignature Off

Once you have added the two lines to httpd.conf, restart Apache (If you just added the one line to .htaccess, you don't need to restart anything; the change should take effect immediately). Apache should no longer divulge its exact version number at the drop of a hat, let alone a list of the modules you are using with it. Of course, this won't deter people who are serious about breaking into your site, but at least it'll keep the script kiddies at bay.

Log in or register to write something here or to contact authors.