In default Apache configuration, the server sends HTTP Header with the information of Apache version, modules, Operating System, etc of the Server. The HTTP response header “Server” displays all these details of the server. This information can be used by hackers to try to exploit any vulnerabilities in the Apache, OS or other modules you are running, specially if you are running an older version with known vulnerabilities.
Sample HTTP Response Header:
HTTP/1.1 200 OK Date: Sun, 10 Feb 2012 07:24:47 GMT Server: Apache/2.2.17 (Win32) PHP/5.2.17 Vary: Accept-Encoding,Cookie
There is an easy way to hide the apache version and other server information from the HTTP headers. By setting the “ServerTokens” and “ServerSignature” variables in your httpd.conf file the server information would not longer be added to the HTTP headers. Use the following lines in you httpd.conf file. Make sure to back up you file before editing so that in case something goes wrong you can easily revert. After making the changes restart your apache (Note: Doing so will take your site down, if it runs only on 1 server).
ServerTokens ProductOnly ServerSignature Off
HTTP/1.1 200 OK Date: Sun, 10 Feb 2012 07:24:47 GMT Server: Apache Vary: Accept-Encoding,Cookie
|ServerTokens Value||Server Sends|
|Full (or not specificed)||Server: Apache/2.2.17 (Win32) PHP/5.2.17|
|Prod (or ProductOnly)||Server: Apache|
|Min (or Minimal)||Server: Apache/2.2.17|
|OS||Server: Apache/2.2.17 (Win32)|