Unset/Remove Apache Response Header – Protect your server information

When a browser submit a request for a page to the apache web server, it will send back the response data as well as response headers. The response headers usually contains important information like response Status, Content Type, Date and Time of Response etc. However, sometimes if you don’t configure the web server properly, it will expose some important information about the server in the response header. The below screenshot shows a poor configured server:

Poor Configured Response Headers

Poor Configured Response Headers

 

You can see that from the response header I can tell that the website is hosted using Apache server and furthermore it is using Phusion Passenger V 3.0.11. If there is any vulnerability issue with this version of Passenger, the hacker can easily use this information and hack the website! So the solution is to hide this kind of information.

 

To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.

 

Load Apache Headers Module. First, make sure you have header module installed, use the following command to see all the loaded modules:

httpd -M

Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.

Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:

httpd -V

It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:

-D HTTPD_ROOT=”/usr/local/httpd”

-D SERVER_CONFIG_FILE=”conf/httpd.conf”

From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module

LoadModule headers_module modules/mod_headers.so

Now, do httpd -M again, you should see the loaded modules include headers_module.

After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.

ServerSignature Off
ServerTokens Prod

Normally apache would display a trailing footer line, which includes information like server name, version etc,  under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number.  For details explanation, refer to this apache documentation.

 

Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.

# If mod_headers module is included, we will disable the Server response header totally
<IfModule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</IfModule>

With the above changes, you should have already unset or removed those apache response headers that expose important security informations.

July 5, 2012 | shanison | Tags: | 7 Comments »