Aug 10, 2018

Reduce or remove server headers

Web servers often give full version information in an HTTP Header by default. For example, Apache will show something like this:

Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2


Web servers often give full version information in an HTTP Header by default. For example, Apache will show something like this:

Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

In my opinion, there is no real reason or need to show this much information and, I definitely do not think it should be the default. It is easy to look up particular vulnerabilities once you know the version number. Some people at Apache disagree, and have even gone so far as adding this to the official documentation:

 Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety. 
Now personally I disagree, and certainly when they are sending detailed version information and the OS information. Security by obscurity shouldn't be your only form of defense, but that doesn't mean security is any better by willing stating you're running vulnerable versions of software if you haven't been able to upgrade them yet! Granted there are ways of finger-printing the server (e.g. an Apache server will send certain headers and in a certain order) but that's not 100% reliable and even then it won't give up OS information. So I recommend removing this header, or when this is not possible (e.g. for Apache) then at least changing it to provide the minimum information.

Apache by default will also give server signature information on certain error pages. For example, the default 404 page will show that you are running Apache and potentially the webmaster e-mail address you have configured. Again this is unnecessary information for the web server to show in my opinion.

Other back-end servers (e.g. JBoss, NodeJs, PHP) also set the "X-Powered-By" HTTP Header by default, which similarly is an unnecessary risk to display the software you are using. It's of no benefit to your website visitors so switch them off.

How to set it up
The following settings in Apache will reduce server headers:

#Reduce Server HTTP Header to the minimum product (Apache) rather than showing detailed version information of the server and operating system ServerTokens Prod #Remove the footer from error pages, which details the version numbers: ServerSignature Off # Hide X-Powered-By and Server headers, sent by downstream application servers: # Note you need both below as the "always" one doesn't work with Jboss for some reason Header always unset "X-Powered-By" Header unset "X-Powered-By"

Note it is not possible to fully remove the Server header in Apache without resorting to editing the source code and, although this is not actually that difficult, I do not think it is necessary to go that far. It will make future upgrades more complicated and editing source code most people will not understand seems more dangerous than leaving this in place. Making this configurable has been proposed several times on the Apache httpd-dev mailing list, but the core developers there seem stubbornly against this.

authorarticle: Master3395


sources: tunetheweb.com

keywords: http, x-header, X-Powered-By

Previous Article
Next Article

Sponsored Ads:


Page 1 of 537  >  >>

First in the world with external 8TB SSD, but for a price!


Jul 2, 2020 | Category: IT | Comments

Samsung has launched a new internal SSD.

read more…

Will Google launch new Glass? Has traded AR glasses company


Jul 1, 2020 | Category: Google | Comments

Or does Google root it again?

Google has traded AR glasses company North.

read more…

Microsoft Teams now prevents Students from joining meetings unattended


Jun 30, 2020 | Category: Microsoft | Comments

Microsoft has announced the general availability of one of the most requested features for Teams for Education that will prevent students from joining a meeting unattended in the absence of the educator. This feature will also prevent students from chatting when a teacher is not present in the meeting.

read more…

Page 1 of 537  >  >>