I usually don’t disable apache, php, nginx headers because to me that is just security through obscurity.
My thoughts are this…..
- if someone doesn’t know what version of software you are running and they decide to hack your domain or server, they will simply throw every public exploit at it that exists for said product or even simply “fingerprint” it for the correct version
- It makes my life easier because I can also query for those headers if for some reason I don’t remember the version of software (which saves me from logging in to the server or using other methods that might take longer – efficiency is key!)
- skiddies are going to throw everything at it anyways
On the flipside…..
- its not that hard to do
- if it makes your life easier then by all means do it
- maybe you only run a single server instead of hundreds or thousands so its easier to remember the software versions
Apache uses two different directives in the httpd.conf file. Those two directives are:
ServerTokens controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules. The default setting is Full.
Here is a chart that defines each setting:
|ServerTokens Setting||ServerTokens Header Example|
|OS||Server: Apache/2.2.19 (Gentoo)|
|Full (Default value or not specified)||Server: Apache/2.2.19 (Gentoo) PHP/5.2.17 mod_ssl/2.2.19 OpenSSL/1.0.0f|
ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy, ftp directory listings, etc.). The default setting from apache is Off but some distributions may enable it. The only three options on Off|On|Email
So to make apache give out as little information as possible, we simply add to the httpd.conf file these settings in the global config:
ServerTokens ProductOnly ServerSignature Off
PHP has a single value that you place in the php.ini file that disables its banner. It is simply: