Remove Server Header
Hi Guys
I have a question, one of my clients is asking about remove innecessary header like "Server", I have tried to add
Header unset Server
on .htacccess and apache configuration->Include Editor, but it doesn't work, have you work in something similar?
Thank you in advance!
-
Hello, If this is for the purpose of PCI compliance, you can verify the following options are disabled via "WHM >> Service Configuration >> Apache Configuration >> Global Configuration": Trace Enable Server Signature Server Tokens (Product Only) File ETag Additionally, you can browse to "WHM >> Software >> MultiPHP INI Editor", switch to Editor Mode, search for the "expose_php" option, and set it to "No". Thank you. 0 -
Thank for yoou answer, I have disabled everything. Trace Off ServerSignature Off ServerToken ProductOnly File ETag Off Algo expose_php is off Is there a way to remove the Server Header? Thank you. 0 -
Hello, The "Product Only" setting will still show "Apache", and this is the least information you can provide in the header. You can find documentation on this at: core - Apache HTTP Server Version 2.4 Note the following warning: Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety.
I do see some discussion of using Mod_Security to strip "Apache" from the header on this URL: How to remove HTTP Server "Apache"? However, that's unsupported and I'm not sure of the specific Mod_Security rule you'd use to achieve that. Thank you.0 -
It does not look like you can remove it entirely without modifying the source code, and obviously I don't recommend this. See: Reduce or remove server headers I did some quick testing with ModSecurity. I wasn't able to drop the "Server:" response header, but I was able to set it with this directive: Reference Manual " SpiderLabs/ModSecurity Wiki " GitHub The documentation above suggests you must set the Apache ServerTokens directive to Full. ModSecurity will then overwrite the server signature data held in this memory space with the data set in this directive. I was able to get it working with Product Only, but likely because I'm replacing with something very short (literally the string "null"). Anyway, you should be able to set it to whatever you want. I know you want it gone, but perhaps just setting "null" or something would satisfy your needs. I used: SecServerSignature "null" In my custom conf. With a short string like that you can probably get away leaving ServerTokens as ProductOnly, but a longer replacement would need more memory space afforded by setting Full. 0 -
It does not look like you can remove it entirely without modifying the source code, and obviously I don't recommend this. See: Reduce or remove server headers I did some quick testing with ModSecurity. I wasn't able to drop the "Server:" response header, but I was able to set it with this directive: Reference Manual " SpiderLabs/ModSecurity Wiki " GitHub The documentation above suggests you must set the Apache ServerTokens directive to Full. ModSecurity will then overwrite the server signature data held in this memory space with the data set in this directive. I was able to get it working with Product Only, but likely because I'm replacing with something very short (literally the string "null"). Anyway, you should be able to set it to whatever you want. I know you want it gone, but perhaps just setting "null" or something would satisfy your needs. I used: SecServerSignature "null" In my custom conf. With a short string like that you can probably get away leaving ServerTokens as ProductOnly, but a longer replacement would need more memory space afforded by setting Full.
Thanks! this works pretty good!0
Please sign in to leave a comment.
Comments
5 comments