6.6. Controlling HTTP HeadersYou might be getting a little concerned about information that your web server is making available to the rest of the world. In the case of Apache, you limit the information contained in the Server header line by configuring the ServerTokens directive with the appropriate keyword. There are four possible options:
The default Apache configuration file does not include this directive, not even commented out like many other directives. Its absence has the same effect as ServerTokens Full, meaning that the maximum amount of information is revealed. You can correct this easily by adding the directive anywhere in the main section of the file. Note that you can only have a single directive, which applies to the entire server, across all virtual hosts. My preference is for the OS option, which tells the world something about my site, without revealing possible vulnerabilities. A related Apache directive is ServerSignature, which determines whether a string identifying your server is included in the error pages returned by the server. For example: Apache/1.3.27 Server at www.craic.com Port 80 This can be set to On, Off, or Email. In the latter case, the message includes a mailto link to the server administrator. I recommend you set this to On because it helps determine the source of error messages. |