[SATLUG] Question Regarding http Headers

Wes Henderson whendersonii at gmail.com
Sun Feb 3 20:46:56 CST 2013

Thank you very much for the feedback; the article made for a nice read,
although it also referenced the httpd.conf file. I have since found the
solution and I thought I would share in case anyone else is interested.

It seems that the apache2.conf file has replaced the httpd.conf file as the
primary configuration file for apache2 (source:
https://help.ubuntu.com/10.04/serverguide/httpd.html); however, the
apache2.conf file does not have the option to obfuscate the server info.
The option is now located at /etc/apache2/conf.d/security (source:
Simply changing the 'ServerTokens' parameter to 'Prod' will obfuscate the
HTTP header, and changing The 'ServerSignature' parameter to 'Off' will
remove the server info from 404 error pages (source:
http://www.petefreitag.com/item/505.cfm). FYI, that last link is an awesome

I used '$ curl -I <URL>' to view the HTTP header information, and changing
the 'ServerTokens' field to 'Prod' changed my HTTP header from 'Server:
Apache/2.2.22 (Ubuntu)' to 'Server: Apache'.

Thank you again for the excellent feedback and I hope that this information
can help someone else.

On Sat, Feb 2, 2013 at 12:32 PM, Mark Mayfield <mayfield_mark at gvtc.com>wrote:

> If you mean removing the apache and version info from the response
> headers, I looked into that a while back. The information I found stated
> that that web server information is an important part of the proper
> functioning of the web server and that it is not a proper practice to
> remove. I found some information about modifying the appropriate sections
> of code and recompiling Apache, but I don't believe the versions of Apache
> that ship with distros or come in the repositories will support removing
> that info from the headers.
> If you look at the following link you'll notice that you are instructed to
> modify the source code to achieve the result. This was just a quick google
> search, I remember finding something on the official apache site to the
> same effect.
> http://www.dsm.fordham.edu/~**mathai/apache.html<http://www.dsm.fordham.edu/~mathai/apache.html>
> On 02/02/2013 12:05 PM, Wes Henderson wrote:
>> Hey guys, I have a quick question that I was hoping someone could help
>> with. I am running a webserver with apache v2.2.22 utilizing virtual hosts
>> on Mint and I was hoping to obfuscate the http header information. All of
>> my searches this morninig pointed to the .htaccess file and the httpd.conf
>> file; neither of which appear to be in use on my version of apache. Any
>> help getting pointed to the right direction would be greatly appreciated.
>> Thanks in advance.
> --
> ______________________________**_________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/**mailman/listinfo/satlug<http://alamo.satlug.org/mailman/listinfo/satlug>to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)

*Wes Henderson*
IT Consultant
Email: whendersonii at gmail.com

Find me on my website: weshenderson.info
And elsewhere -
     Google+ <https://plus.google.com/u/0/118217301983867537201/posts>
     Linkedin <http://www.linkedin.com/pub/wes-henderson/41/3b7/a96>
     Twitter <https://twitter.com/intent/tweet?screen_name=whendersonii>

"Unix is simple, but it takes a genius to understand the simplicity." -
Dennis Ritchie

More information about the SATLUG mailing list