When a browser submit a request for a page to the apache web server, it will send back the response data as well as response headers. The response headers usually contains important information like response Status, Content Type, Date and Time of Response etc. However, sometimes if you don’t configure the web server properly, it will expose some important information about the server in the response header. The below screenshot shows a poor configured server:
Poor Configured Response Headers
You can see that from the response header I can tell that the website is hosted using Apache server and furthermore it is using Phusion Passenger V 3.0.11. If there is any vulnerability issue with this version of Passenger, the hacker can easily use this information and hack the website! So the solution is to hide this kind of information.
To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.
Load Apache Headers Module. First, make sure you have header module installed, use the following command to see all the loaded modules:
httpd -M
Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.
Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:
httpd -V
It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:
-D HTTPD_ROOT=”/usr/local/httpd”
-D SERVER_CONFIG_FILE=”conf/httpd.conf”
From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module
LoadModule headers_module modules/mod_headers.so
Now, do httpd -M again, you should see the loaded modules include headers_module.
After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.
ServerSignature Off ServerTokens Prod
Normally apache would display a trailing footer line, which includes information like server name, version etc, under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number. For details explanation, refer to this apache documentation.
Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.
# If mod_headers module is included, we will disable the Server response header totally <IfModule mod_headers.c> Header unset Server Header unset X-Powered-By </IfModule>
With the above changes, you should have already unset or removed those apache response headers that expose important security informations.
Header unset Server
Does not work and seems like will not work in future too.. Please check the bug https://issues.apache.org/bugzilla/show_bug.cgi?id=40026
There are few other Headers that can not be modified by mod_header, “Date” is another one in addition to “Server”. Though Header unset X-Powered-By works gr8.
Hi Jz,
You are right that Server header can not be unset by mod_header with Apache 1.3.x. However with Apache 2.x, the Server header should be able to be unset.
Funnily enough, I just had a situation where
Headers always unset X-Powered-By
did not work for me to unset a “X-Powered-By: JSF 1.2″ header generated by a Tomcat server the Apache is forwarding to via mod_jk. Instead, the directive without always worked. I guess this is because the response header table “always” is not a superset of the default table “onsuccess” (see the mod_headers documentation). So, to be absolutely sure the header gets eliminated in every circumstance, it seems one needs to use both directives:
Headers unset X-Powered-By
Headers always unset X-Powered-By
(which did work for me btw).
Finally, with respect to the issue of disabling the “Server” header: This does not work with Apache 2. For proof and the whole discussion see https://issues.apache.org/bugzilla/show_bug.cgi?id=40026
Yikes! This was meant to be a reply to Paul A. Jungwirth. :S
Are you sure that your commands are successfully doing what you want? Are you using them on this blog? This is what I see:
$ curl -is http://www.shanison.com/ | head -30
HTTP/1.1 406 Not Acceptable
Date: Mon, 30 Jul 2012 15:56:52 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_jk/1.2.35
X-Powered-By: PHP/5.3.13
X-Pingback: http://www.shanison.com/xmlrpc.php
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
I’m pretty sure that `Server` cannot be removed even in Apache 2 without changing the source.
Also, you may need to say `header always unset X-Powered-By` to remove headers generated by a CGI (including in my experience Passenger).
The above solution is not hiding the server info.
mod_security can change the server header
or recompile apache and put your own server header