Securing Apache, Tip #1: Minimize banner information

Its not a good idea to broadcast the versions of software you’re running when it comes either your Apache server or your favourite web development framework. While it doesn’t make your server any more secure, it may make you less of a target as many attacks come from people you actually don’t know from all over the world who are just looking for potential targets, for instance, by identifing your server signature using advanced search queries on search engines.

By default Apache adds its version number and some OS information to every response header as shown below:

tip1_1This information can help an attacker to easily try to exploit a various number of well-known vulnerabilites for that version of Apache server.

Therefore, one of the first things you must do when setting up an Apache web server is add/edit these two directive in the httpd.conf file:

ServerSignature Off
ServerTokens Prod

The first one, ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.

The second one ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

With these two directives this is how the response header will look like:


See other tips:

Securing Apache, Tip#2: PHP display_errors




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s