Apache Server Signature

When Apache cant find the page that you are looking for it says “Not Found” and then it reveals your apache version number and sometimes even the modules that you have enabled. Do you want this?

For me the answer is of course not.. why would you?

In Debian you change these two directives in the file “/etc/apache2/conf-available/security.conf”:

ServerTokens Prod
ServerSignature Off

The ServerTokens are:

  • Full – Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2
  • Prod – Apache
  • Major – Apache/2
  • Minor – Apache/2.4
  • Min – Apache/2.4.2
  • OS – Apache/2.4.2 (Unix)

ServerSignature can be either On, Off or Email. Where email displays the mail address of the server admin.

Published by Nimpen J. Nordström

System Developer and Network Security Enthusiast

Leave a comment

Your email address will not be published. Required fields are marked *