When a browser submit a request for a page to the apache web server, it will send back the response data as well as response headers. The response headers usually contains important information like response Status, Content Type, Date and Time of Response etc. However, sometimes if you don’t configure the web server properly, it will expose some important information about the server in the response header. The below screenshot shows a poor configured server:

Poor Configured Response Headers

Poor Configured Response Headers

 

You can see that from the response header I can tell that the website is hosted using Apache server and furthermore it is using Phusion Passenger V 3.0.11. If there is any vulnerability issue with this version of Passenger, the hacker can easily use this information and hack the website! So the solution is to hide this kind of information.

 

To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.

 

Load Apache Headers Module. First, make sure you have header module installed, use the following command to see all the loaded modules:

httpd -M

Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.

Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:

httpd -V

It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:

-D HTTPD_ROOT=”/usr/local/httpd”

-D SERVER_CONFIG_FILE=”conf/httpd.conf”

From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module

LoadModule headers_module modules/mod_headers.so

Now, do httpd -M again, you should see the loaded modules include headers_module.

After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.

ServerSignature Off
ServerTokens Prod

Normally apache would display a trailing footer line, which includes information like server name, version etc,  under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number.  For details explanation, refer to this apache documentation.

 

Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.

# If mod_headers module is included, we will disable the Server response header totally
<IfModule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</IfModule>

With the above changes, you should have already unset or removed those apache response headers that expose important security informations.

8 comments on “Unset/Remove Apache Response Header – Protect your server information

  1. Header unset Server

    Does not work and seems like will not work in future too.. Please check the bug https://issues.apache.org/bugzilla/show_bug.cgi?id=40026

    There are few other Headers that can not be modified by mod_header, “Date” is another one in addition to “Server”. Though Header unset X-Powered-By works gr8.

    • shanison on said:

      Hi Jz,

      You are right that Server header can not be unset by mod_header with Apache 1.3.x. However with Apache 2.x, the Server header should be able to be unset.

      • corbenic80 on said:

        Funnily enough, I just had a situation where

        Headers always unset X-Powered-By

        did not work for me to unset a “X-Powered-By: JSF 1.2″ header generated by a Tomcat server the Apache is forwarding to via mod_jk. Instead, the directive without always worked. I guess this is because the response header table “always” is not a superset of the default table “onsuccess” (see the mod_headers documentation). So, to be absolutely sure the header gets eliminated in every circumstance, it seems one needs to use both directives:

        Headers unset X-Powered-By
        Headers always unset X-Powered-By

        (which did work for me btw).

        Finally, with respect to the issue of disabling the “Server” header: This does not work with Apache 2. For proof and the whole discussion see https://issues.apache.org/bugzilla/show_bug.cgi?id=40026

  2. Paul A. Jungwirth on said:

    Are you sure that your commands are successfully doing what you want? Are you using them on this blog? This is what I see:

    $ curl -is http://www.shanison.com/ | head -30
    HTTP/1.1 406 Not Acceptable
    Date: Mon, 30 Jul 2012 15:56:52 GMT
    Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_jk/1.2.35
    X-Powered-By: PHP/5.3.13
    X-Pingback: http://www.shanison.com/xmlrpc.php
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    I’m pretty sure that `Server` cannot be removed even in Apache 2 without changing the source.

    Also, you may need to say `header always unset X-Powered-By` to remove headers generated by a CGI (including in my experience Passenger).

  3. Gabbar Singh on said:

    The above solution is not hiding the server info.

  4. mod_security can change the server header
    or recompile apache and put your own server header

  5. Sytse Sijbrandij on said:

    Make sure to configure:
    Header always unset Server
    Header always unset X-Powered-By

    (the always is important)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

HTML tags are not allowed.