Home

Aug 10, 2018

Reduce or remove server headers


Introduction
Web servers often give full version information in an HTTP Header by default. For example, Apache will show something like this:

Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

Category:Tutorials 
Posted by: Admin

Introduction
Web servers often give full version information in an HTTP Header by default. For example, Apache will show something like this:

Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

In my opinion, there is no real reason or need to show this much information and, I definitely do not think it should be the default. It is easy to look up particular vulnerabilities once you know the version number. Some people at Apache disagree, and have even gone so far as adding this to the official documentation:

 Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety. 
Now personally I disagree, and certainly when they are sending detailed version information and the OS information. Security by obscurity shouldn't be your only form of defense, but that doesn't mean security is any better by willing stating you're running vulnerable versions of software if you haven't been able to upgrade them yet! Granted there are ways of finger-printing the server (e.g. an Apache server will send certain headers and in a certain order) but that's not 100% reliable and even then it won't give up OS information. So I recommend removing this header, or when this is not possible (e.g. for Apache) then at least changing it to provide the minimum information.

Apache by default will also give server signature information on certain error pages. For example, the default 404 page will show that you are running Apache and potentially the webmaster e-mail address you have configured. Again this is unnecessary information for the web server to show in my opinion.

Other back-end servers (e.g. JBoss, NodeJs, PHP) also set the "X-Powered-By" HTTP Header by default, which similarly is an unnecessary risk to display the software you are using. It's of no benefit to your website visitors so switch them off.

How to set it up
The following settings in Apache will reduce server headers:

#Reduce Server HTTP Header to the minimum product (Apache) rather than showing detailed version information of the server and operating system ServerTokens Prod #Remove the footer from error pages, which details the version numbers: ServerSignature Off # Hide X-Powered-By and Server headers, sent by downstream application servers: # Note you need both below as the "always" one doesn't work with Jboss for some reason Header always unset "X-Powered-By" Header unset "X-Powered-By"

Note it is not possible to fully remove the Server header in Apache without resorting to editing the source code and, although this is not actually that difficult, I do not think it is necessary to go that far. It will make future upgrades more complicated and editing source code most people will not understand seems more dangerous than leaving this in place. Making this configurable has been proposed several times on the Apache httpd-dev mailing list, but the core developers there seem stubbornly against this.

authorarticle: Master3395

image: 

sources: tunetheweb.com

keywords: http, x-header, X-Powered-By

Previous Article
Next Article
Discord

Page 1 of 336  >  >>

Now the October update for Windows 10 rolls out

windows10.jpg

Nov 21, 2018 | Category: Microsoft | Comments

Finally - here are the improvements.

Microsoft has had a very hard time rolling out the October update to Windows 10 (version 1809), but now it seems that the pieces fall into place.

read more…

Female is reported to have reset her iPhone under investigation

police-iphone.jpeg

Nov 20, 2018 | Category: Apple | Comments

The phone was used for evidence purposes in a shooting event.

Often information that can be retrieved from phones relevant to the police is being investigated in a criminal case. Such important information can be a lot of things, including an overview of contacts and possible planning of crime - largely the most likely to help criminalize a person.

read more…

CloudFlare's privacy app is here

cloudflare-1.1.1.1-ios-android.png

Nov 19, 2018 | Category: IT | Comments

Free and available now for iOS and Android.

It's been several months since the networking giant Cloudflare showed the DNS service 1.1.1.1 that focuses on privacy, readily available to consumers. Now the application is available for free for Apple devices and Android.

read more…

Page 1 of 336  >  >>