Section 6.6. Controlling HTTP Headers

6.6. Controlling HTTP Headers

You might be getting a little concerned about information that your web server is making available to the rest of the world. In the case of Apache, you limit the information contained in the Server header line by configuring the ServerTokens directive with the appropriate keyword. There are four possible options:

ServerTokens Full

This returns the server type and version, the type of operating system, and information on supporting software, with their version numbers. For example:

     Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.12     OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 

ServerTokens OS

This returns the server type and version, and the type of operating system. For example:

     Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux)

ServerTokens Minimal

This returns the server type and version. For example:

     Server: Apache/1.3.27

ServerTokens ProductOnly

This returns only the server type. For example:

     Server: Apache

The default Apache configuration file does not include this directive, not even commented out like many other directives. Its absence has the same effect as ServerTokens Full, meaning that the maximum amount of information is revealed.

You can correct this easily by adding the directive anywhere in the main section of the file. Note that you can only have a single directive, which applies to the entire server, across all virtual hosts. My preference is for the OS option, which tells the world something about my site, without revealing possible vulnerabilities.

A related Apache directive is ServerSignature, which determines whether a string identifying your server is included in the error pages returned by the server. For example:

     Apache/1.3.27 Server at www.craic.com Port 80 

This can be set to On, Off, or Email. In the latter case, the message includes a mailto link to the server administrator. I recommend you set this to On because it helps determine the source of error messages.