avp::ptr weblog

Everything that is in our mind.

Archive for September, 2010

How to deactivate the server signature for Apache2?

without comments

Every time a url is requested that does not exist on a webserver an error page is displayed. By default, the page is trailed by the signature of the server. The signature includes information about the webserver version, the operating system, installed modules like PHP, Python, SSL and many more.

As everyone knows, there is no software out there without security problems. Those versions of the installed modules can be used to attack the server. Therefore, it is a good idea to reduce or deactivate the signature.

The apache configuration file apache2.conf contains two settings that allow modifications for this subject. The default settings are displayed here.

ServerSignature = Full
ServerTokens = Prod

The following screenshot shows what would be displayed with the setting:

ServerSignature = Prod

Apache configuration: ServerTokens = Prod
The apache documentation provides more information and examples on how to change the signature.

Another way to display the information attached to the server signature is to use a browser extension.

Written by tobi

September 29th, 2010 at 7:58 pm