Can’t remove Server: Apache header

by

Apache don’t allow you to unset this completely. In fact some of the developers are vehemently against adding this despite it being a simple code change that’s been suggested (and even written!) several times. See here and here for just some of the discussions where this has been brought up and rejected.

They give various reasons for this, including:

  1. It might make it more difficult to count the number of Apache installs in the wild. This is, I suspect, the main reason. Web server usage is fiercely contested and one of Apache’s rivals (which may or may not begin with an N) regularly posts how it is gaining ground on Apache and most scans will be based on the HTTP Header, so I can understand this reluctance to make it easier to hide this.

  2. Security by obscurity is a myth, and gives a false sense of security as it’s easy to fingerprint a server to see which software it likely is, based on how it responds to certain requests. While there is an inkling of truth in that, specifying ServerTokens as Full by default definitely is a security issue leaking far too much information than should be shown by default on a public website.

  3. It may or may not be against the HTTP spec to not supply a server header. This seems to be in some disputes and still doesn’t answer why they don’t allow you to change it to some random string rather than Apache.

  4. It makes it difficult to debug issues, but you’d think anyone needing to debug would know, or be able to find out, the exact versions.

  5. Proxy servers “might” handle requests differently if they know the server type at the other end. Which is wrong of proxy servers IMHO and I doubt it’s done much anymore.

  6. If people really want to amend or hide this header they can edit the source code. Which is, quite frankly, a dangerous recommendation to advise people with no experience of the code to do and could lead to other security issues if they run from a non-packaged version just to add this.

They even goes as far as adding this in the official documentation:

Setting ServerTokens to less than minimal is not recommended because
it makes it more difficult to debug interoperational problems. Also
note that disabling the Server: header does nothing at all to make
your server more secure. The idea of “security through obscurity” is a
myth and leads to a false sense of safety.

That reasoning is, IMHO, ridiculous and, as I say, if that’s the main reason to not allow it then I don’t see why they don’t change their stance. At worse case it doesn’t add anything as they say and it stops this whole question being raised every so often though personally I think the less unnecessary information you give out, the better so would prefer to be able to turn this off.

Until that unlikely u-turn, you’re left with:

  1. Setting it minimal (so it will show “Apache”) – which is probably good enough
  2. Editing the source code – which is overkill except for the most paranoid, and means the same change needs to be applied on each new version.
  3. Installing ModSecurity – which (at least used to) allow you to overwrite (but not remove) this header to whatever you wanted to hide the server software. Probably overkill to install this just for that, though there are other benefits to a WAF.
  4. Proxy Apache behind another web server which allows you to change this field.
  5. Switch to another web server.

It should be noted however, for points 4 and 5, that most other web servers don’t allow you to turn this off either so this is not a problem unique to Apache. For example Nginx doesn’t allow this to be turned off without similarly editing the source code.

More Related Contents:

  1. How to prevent http file caching in Apache httpd (MAMP)
  2. How can I implement rate limiting with Apache? (requests per second)
  3. Apache2 ProxyPass for Rails App Gitlab
  4. Authorization header missing in django rest_framework, is apache to blame?
  5. Need to allow encoded slashes on Apache
  6. Vagrant’s port forwarding not working [closed]
  7. Apache won’t follow symlinks (403 Forbidden)
  8. How do I configure Apache2 to allow multiple simultaneous connections from same IP address?
  9. How to disable mod_deflate in apache2?
  10. .htaccess: how to restrict access to a single file by IP?
  11. URL rewriting for different protocols in .htaccess
  12. How to hide the .html extension with Apache mod_rewrite
  13. How to debug .htaccess RewriteRule not working
  14. .htaccess rewrite query string as path
  15. How to redirect URLs based on query string?
  16. hadoop.mapred vs hadoop.mapreduce?
  17. java.lang.RuntimeException: Unable to instantiate org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient
  18. Difference between the Apache HTTP Server and Apache Tomcat? [closed]
  19. How do I ignore a directory in mod_rewrite?
  20. CSS, JS and images do not display with pretty url
  21. How to setup apache server for React route?
  22. How to rewrite URL without refresh, like GitHub.com
  23. What exactly is a pre-fork web server model?
  24. How to force Apache to use manually pre-compressed gz file of CSS and JS files?
  25. Apache is not sending 304 response (if mod_deflate and AddOutputFilterByType is enabled)
  26. .htaccess 301 redirect for all https to http EXCEPT ONE PAGE
  27. HTML5 Server-Sent Events prototyping – ambiguous error and repeated polling?
  28. Apache rewrite rules not being applied for angularjs
  29. what is the use of “~” tilde in url? [closed]
  30. Do I need to convert .CER to .CRT for Apache SSL certificates? If so, how?

Leave a Comment