Apache: Reducing Information Leaked Through The Headers

Apache by default announces all sorts of information about itself when you make a connection to it :-

$ lynx -head http://some-server-fqdn/
HTTP/1.1 302 Found                                                                                                                                                                                                                             
Date: Thu, 31 May 2018 12:18:22 GMT                                                                                                                                                                                                            
Server: Apache/2.2.15 (CentOS)                                                                                                                                                                                                                 
Location: https://t-oala-idp-01.iso.port.ac.uk/                                                                                                                                                                                                
Connection: close                                                                                                                                                                                                                              
Content-Type: text/html; charset=iso-8859-1        

This can be fixed by simply changing the ServerTokens Apache configuration option to “Prod”. This is found in either security.conf or in global.conf somewhere under /etc/apache2 (or elsewhere if Apache has been set up in a strange way).

And change ServerSignature to “Off” (in the same place).

Make the change and restart Apache in the usual way – apachectl configtest and then apachectl graceful.

This entry was posted in Technical and tagged , . Bookmark the permalink.