Disable Apache2 headers to increase security

By default, an Apache 2 server will show version numbers and service information (not only about itself either) on different error pages and in its headers to all hosted websites. This provides useful information to any hacker. It can be smart to turn this off, and it's easy to do by changing the 3 below configuration directives to the values as shown.

/etc/apache2/conf.d/security

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
#ServerSignature Off
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
#
#TraceEnable Off
TraceEnable Off


This document was last updated July 10th, 2011.
Written by: Dag Jonny Nedrelid
©2007-2012 http://thronic.com

Feel free to leave a comment.
Name:
URL:
0