When a browser submit a request for a page to the apache web server, it will send back the response data as well as response headers. The response headers usually contains important information like response Status, Content Type, Date and Time of Response etc. However, sometimes if you don’t configure the web server properly, it will expose some important information about the server in the response header. The below screenshot shows a poor configured server:

Poor Configured Response Headers

Poor Configured Response Headers

 

You can see that from the response header I can tell that the website is hosted using Apache server and furthermore it is using Phusion Passenger V 3.0.11. If there is any vulnerability issue with this version of Passenger, the hacker can easily use this information and hack the website! So the solution is to hide this kind of information.

 

To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.

 

Load Apache Headers Module. First, make sure you have header module installed, use the following command to see all the loaded modules:

httpd -M

Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.

Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:

httpd -V

It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:

-D HTTPD_ROOT=”/usr/local/httpd”

-D SERVER_CONFIG_FILE=”conf/httpd.conf”

From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module

LoadModule headers_module modules/mod_headers.so

Now, do httpd -M again, you should see the loaded modules include headers_module.

After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.

ServerSignature Off
ServerTokens Prod

Normally apache would display a trailing footer line, which includes information like server name, version etc,  under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number.  For details explanation, refer to this apache documentation.

 

Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.

# If mod_headers module is included, we will disable the Server response header totally
<IfModule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</IfModule>

With the above changes, you should have already unset or removed those apache response headers that expose important security informations.

15 Responses to “Unset/Remove Apache Response Header – Protect your server information”

  1. Jz says:

    Header unset Server

    Does not work and seems like will not work in future too.. Please check the bug https://issues.apache.org/bugzilla/show_bug.cgi?id=40026

    There are few other Headers that can not be modified by mod_header, “Date” is another one in addition to “Server”. Though Header unset X-Powered-By works gr8.

    • shanison says:

      Hi Jz,

      You are right that Server header can not be unset by mod_header with Apache 1.3.x. However with Apache 2.x, the Server header should be able to be unset.

      • corbenic80 says:

        Funnily enough, I just had a situation where


        Headers always unset X-Powered-By

        did not work for me to unset a “X-Powered-By: JSF 1.2” header generated by a Tomcat server the Apache is forwarding to via mod_jk. Instead, the directive without always worked. I guess this is because the response header table “always” is not a superset of the default table “onsuccess” (see the mod_headers documentation). So, to be absolutely sure the header gets eliminated in every circumstance, it seems one needs to use both directives:


        Headers unset X-Powered-By
        Headers always unset X-Powered-By

        (which did work for me btw).

        Finally, with respect to the issue of disabling the “Server” header: This does not work with Apache 2. For proof and the whole discussion see https://issues.apache.org/bugzilla/show_bug.cgi?id=40026

  2. Are you sure that your commands are successfully doing what you want? Are you using them on this blog? This is what I see:


    $ curl -is http://www.shanison.com/ | head -30
    HTTP/1.1 406 Not Acceptable
    Date: Mon, 30 Jul 2012 15:56:52 GMT
    Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_jk/1.2.35
    X-Powered-By: PHP/5.3.13
    X-Pingback: http://www.shanison.com/xmlrpc.php
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    I’m pretty sure that `Server` cannot be removed even in Apache 2 without changing the source.

    Also, you may need to say `header always unset X-Powered-By` to remove headers generated by a CGI (including in my experience Passenger).

  3. Gabbar Singh says:

    The above solution is not hiding the server info.

  4. neil says:

    mod_security can change the server header
    or recompile apache and put your own server header

  5. Sytse Sijbrandij says:

    Make sure to configure:
    Header always unset Server
    Header always unset X-Powered-By

    (the always is important)

  6. Albert Maclang says:

    To All, the above configuration is perfectly working fine on Apache Reverse Proxy and not on Web server. Please see the simple illustration below.

    Internet Apache Reverse Proxy [with the above configuration] Web Server

  7. Robert says:

    The following worked for me:

    ServerTokens Prod
    ServerSignature Off

    Header unset Server
    Header always unset Server
    Header unset X-Powered-By
    Header always unset X-Powered-By

    On Apache 2.2.15:
    # rpm -qi httpd | grep Version
    Version : 2.2.15 Vendor: CentOS

    The result is:
    Before –
    Server: Apache/2.2.15 (CentOS)
    X-Powered-By: PHP/5.3.3

    After –
    $ curl -sIL robertm90.com | egrep ‘Server|Powered’
    Server: Apache

  8. Mohab says:

    Well, I’ve tried something that kinda worked regarding the “Server” header. I was using Oracle Http Server 11.1.1.9, which is built on Apache 2.2.22, so I think it should work for Apache too.

    All I had to do is set the “ServerTokens” to “none” instead of “Prod”. This resulted in the “Server” header loses its value completely, but still was set in the response with a null value, something like this:

    Server:

    Afterall, I guess that’s not bad right ..?

  9. Mattes says:

    ServerTokens none

    did not work for me.
    But including mod_security and adding

    SecServerSignature ‘ ‘

    did work.

    However, I am still struggling to suppress other headers.

  10. gomathi says:

    Hi,

    How to hide response url parameter.

  11. gzip check says:

    @gomathi use htaccess and mod_rewrite module to manage url parameters by rewriting the url.

    gzipcheck will show you headers as well as the rewrite URL ….

Leave a Reply

Your email address will not be published. Required fields are marked *