Jan 182012
 

 

I usually don’t disable apache, php, nginx headers because to me that is just security through obscurity.

My thoughts are this…..

  1. if someone doesn’t know what version of software you are running and they decide to hack your domain or server, they will simply throw every public exploit at it that exists for said product or even simply “fingerprint” it for the correct version
  2. It makes my life easier because I can also query for those headers if for some reason I don’t remember the version of software (which saves me from logging in to the server or using other methods that might take longer – efficiency is key!)
  3. skiddies are going to throw everything at it anyways

On the flipside…..

  1. its not that hard to do
  2. if it makes your life easier then by all means do it
  3. maybe you only run a single server instead of hundreds or thousands so its easier to remember the software versions

Apache

Apache uses two different directives in the httpd.conf file.  Those two directives are:

  1. ServerTokens
  2. ServerSignature

ServerTokens controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.  The default setting is Full.

Here is a chart that defines each setting:

    ServerTokens Setting         ServerTokens Header Example    
ProductOnly Server: Apache
Major Server: Apache/2
Minor Server: Apache/2.2
Minimal Server: Apache/2.2.19
OS Server: Apache/2.2.19 (Gentoo)
Full (Default value or not specified) Server: Apache/2.2.19 (Gentoo) PHP/5.2.17 mod_ssl/2.2.19 OpenSSL/1.0.0f

 

ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy, ftp directory listings, etc.).  The default setting from apache is Off but some distributions may enable it.  The only three options on Off|On|Email

So to make apache give out as little information as possible, we simply add to the httpd.conf file these settings in the global config:

ServerTokens ProductOnly
ServerSignature Off

PHP
PHP has a single value that you place in the php.ini file that disables its banner. It is simply:

expose_php off

NGINX

server_tokens off