Tutorials | Aug 10, 2018 | Master3395
Web servers often give full version information in an HTTP Header by default. For example, Apache will show something like this:
Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2
In my opinion, there is no real reason or need to show this much information and, I definitely do not think it should be the default. It is easy to look up particular vulnerabilities once you know the version number. Some people at Apache disagree, and have even gone so far as adding this to the official documentation:
Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety.
Now personally I disagree, and certainly when they are sending detailed version information and the OS information. Security by obscurity shouldn't be your only form of defense, but that doesn't mean security is any better by willing stating you're running vulnerable versions of software if you haven't been able to upgrade them yet! Granted there are ways of finger-printing the server (e.g. an Apache server will send certain headers and in a certain order) but that's not 100% reliable and even then it won't give up OS information. So I recommend removing this header, or when this is not possible (e.g. for Apache) then at least changing it to provide the minimum information.
Apache by default will also give server signature information on certain error pages. For example, the default 404 page will show that you are running Apache and potentially the webmaster e-mail address you have configured. Again this is unnecessary information for the web server to show in my opinion.
Other back-end servers (e.g. JBoss, NodeJs, PHP) also set the "X-Powered-By" HTTP Header by default, which similarly is an unnecessary risk to display the software you are using. It's of no benefit to your website visitors so switch them off.
How to set it up
The following settings in Apache will reduce server headers:
#Reduce Server HTTP Header to the minimum product (Apache) rather than showing detailed version information of the server and operating system ServerTokens Prod #Remove the footer from error pages, which details the version numbers: ServerSignature Off # Hide X-Powered-By and Server headers, sent by downstream application servers: # Note you need both below as the "always" one doesn't work with Jboss
for some reason Header always unset
"X-Powered-By" Header unset "X-Powered-By"
Note it is not possible to fully remove the Server header in Apache without resorting to editing the source code and, although this is not actually that difficult, I do not think it is necessary to go that far. It will make future upgrades more complicated and editing source code most people will not understand seems more dangerous than leaving this in place. Making this configurable has been proposed several times on the Apache httpd-dev mailing list, but the core developers there seem stubbornly against this.
Keywords: http, x-header, X-Powered-By