Mailing List Archive: hding apache version in the http header

Milind Sawant wrote:

> This version is sent as a http header between the browser and apache.
> Server: Apache/1.3.19 (Unix) mod_ssl/2.8.3 OpenSSL/0.9.5a
>
> Is it possible to do any configuration on apache to hide the version..

Use the ServerTokens directive, e.g.

ServerTokens ProductOnly

Although bear in mind that you make life difficult for agencies doing
web-surveys...

> for security reasons?

Aha! That's another matter... You are obviously under the impression
that if a hacker knows what version of apache you have, he will find it
easier to break in. I would argue that this is not true - a hacker will
try his exploits no matter what version you say you have and if your
system is insecure, he will break in. Security comes through ensuring
you have a well-configured FW and server, with attention paid to all
known holes - not through trying to hide your version.

To put it another way, it's like scraping the word "Chubb" or "Yale" off
your door-lock in the hope that a burglar will be so baffled by this
that he will not attempt to break in :-)

rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org