Apache: Disable the ETag Header

By default, the Apache web server has an information disclosure vulnerability where the ETag header shows information about the file containing the object in question. This can contain an “i-node” value which in combination with the use of NFS can permit certain forms of attack.

Whilst not especially serious, it is worth disabling this header given how easy it is to do (and the security people will stop complaining about it). Simply add :-

FileETag None

to an Apache configuration file and restart in the usual way. You can make this change in almost any of the files commonly found under /etc/apache2 but two possible locations where it is ready to go are :-

  1. For Ubuntu/Debian-derived Linux systems, look at /etc/apache2/conf-enabled/security.conf (it is present but commented out)
  2. For SLES-derived Linux systems, add the line to /etc/apache2/conf.d/local.conf

Of course with any Apache change you will need to restart it (and preferably in a safe manner) :-

✓ root@pm-log2# apachectl configtest
Syntax OK
✓ root@pm-log2# apachectl graceful  


This entry was posted in Technical and tagged , . Bookmark the permalink.