[SATLUG] Question Regarding http Headers
Donald L Wilcox
dwilcox at neonnightrider.com
Mon Feb 4 12:14:56 CST 2013
If I remember correctly, Debian-based distros always use apache2.conf as the config file. I have recent versions rpm-based distros (e.g. Fedora, RHEL, CentOS) that use httpd.conf.
Also, I think I used ServerSignature and ServerTokens in .htaccess, so that'll also work if you only want to obfuscate at the vhost level.
Donald Wilcox Web: http://www.neonnightrider.com
San Antonio, TX LinkedIn: http://www.linkedin.com/in/donaldwilcoxjr
From: "Wes Henderson" <whendersonii at gmail.com>
Sent: Sunday, February 3, 2013 20:46
To: "The San Antonio Linux User's Group Mailing List" <satlug at satlug.org>
Subject: Re: [SATLUG] Question Regarding http Headers
Thank you very much for the feedback; the article made for a nice read,
although it also referenced the httpd.conf file. I have since found the
solution and I thought I would share in case anyone else is interested.
It seems that the apache2.conf file has replaced the httpd.conf file as the
primary configuration file for apache2 (source:
https://help.ubuntu.com/10.04/serverguide/httpd.html); however, the
apache2.conf file does not have the option to obfuscate the server info.
The option is now located at /etc/apache2/conf.d/security (source:
Simply changing the 'ServerTokens' parameter to 'Prod' will obfuscate the
HTTP header, and changing The 'ServerSignature' parameter to 'Off' will
remove the server info from 404 error pages (source:
http://www.petefreitag.com/item/505.cfm). FYI, that last link is an awesome
I used '$ curl -I <URL>' to view the HTTP header information, and changing
the 'ServerTokens' field to 'Prod' changed my HTTP header from 'Server:
Apache/2.2.22 (Ubuntu)' to 'Server: Apache'.
Thank you again for the excellent feedback and I hope that this information
can help someone else.
On Sat, Feb 2, 2013 at 12:32 PM, Mark Mayfield <mayfield_mark at gvtc.com>wrote:
> If you mean removing the apache and version info from the response
> headers, I looked into that a while back. The information I found stated
> that that web server information is an important part of the proper
> functioning of the web server and that it is not a proper practice to
> remove. I found some information about modifying the appropriate sections
> of code and recompiling Apache, but I don't believe the versions of Apache
> that ship with distros or come in the repositories will support removing
> that info from the headers.
> If you look at the following link you'll notice that you are instructed to
> modify the source code to achieve the result. This was just a quick google
> search, I remember finding something on the official apache site to the
> same effect.
> On 02/02/2013 12:05 PM, Wes Henderson wrote:
>> Hey guys, I have a quick question that I was hoping someone could help
>> with. I am running a webserver with apache v2.2.22 utilizing virtual hosts
>> on Mint and I was hoping to obfuscate the http header information. All of
>> my searches this morninig pointed to the .htaccess file and the httpd.conf
>> file; neither of which appear to be in use on my version of apache. Any
>> help getting pointed to the right direction would be greatly appreciated.
>> Thanks in advance.
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/**mailman/listinfo/satlug<http://alamo.satlug.org/mailman/listinfo/satlug>to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)
Email: whendersonii at gmail.com
Find me on my website: weshenderson.info
And elsewhere -
"Unix is simple, but it takes a genius to understand the simplicity." -
SATLUG mailing list
SATLUG at satlug.org
http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
Powered by Rackspace (www.rackspace.com)
More information about the SATLUG