Wow, multiple posts in the same month. Watch out, I may actually start buying into this blogging thing. So I was looking for a way to mask the header information that the server sends. Well I found this nice article explaining how to set headers if you have mod_headers installed. Well I checked and I did, I verified I had a version of apache to be able to make the change. It was a simple one liner in the httpd.conf file, but for some reason, it didn’t work. Yes, I restarted apache after the change. Well, after looking at some more articles, which said exactly the same thing, I got disheartened.

I did find a post on http://www.fatofthelan.com/ that talked about Server tokens. This masks some of the header information, but not all of it. Here the explanation for it:

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache

ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0

ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2

By default, apache has it set to ‘ ServerTokens OS’. This change at least hides some of your header infomation. You can find the explanation here:

http://httpd.apache.org/docs/1.3/mod/core.html#servertokens

Leave a Reply