35

I have "Server: Apache" in my HTTP response headers and want to remove it. I followed instructions like adding this to httpd.conf:

ServerSignature Off  
ServerTokens Prod
Header unset Server

But the last line has no effect. First two lines have changed header's content (earlier it contained also information about OS and PHP), but I need to remove it completely. How to do this?

John
  • 1
  • 13
  • 98
  • 177
Audiophile
  • 970
  • 2
  • 8
  • 20

6 Answers6

76

Apache don't allow you to unset this completely. In fact some of the developers are vehemently against adding this despite it being a simple code change that's been suggested (and even written!) several times. See here and here for just some of the discussions where this has been brought up and rejected.

They give various reasons for this, including:

  1. It might make it more difficult to count the number of Apache installs in the wild. This is, I suspect, the main reason. Web server usage is fiercely contested and one of Apache's rivals (which may or may not begin with an N) regularly posts how it is gaining ground on Apache and most scans will be based on the HTTP Header, so I can understand this reluctance to make it easier to hide this.

  2. Security by obscurity is a myth, and gives a false sense of security as it's easy to fingerprint a server to see which software it likely is, based on how it responds to certain requests. While there is an inkling of truth in that, specifying ServerTokens as Full by default definitely is a security issue leaking far too much information than should be shown by default on a public website.

  3. It may or may not be against the HTTP spec to not supply a server header. This seems to be in some disputes and still doesn't answer why they don't allow you to change it to some random string rather than Apache.

  4. It makes it difficult to debug issues, but you'd think anyone needing to debug would know, or be able to find out, the exact versions.

  5. Proxy servers "might" handle requests differently if they know the server type at the other end. Which is wrong of proxy servers IMHO and I doubt it's done much anymore.

  6. If people really want to amend or hide this header they can edit the source code. Which is, quite frankly, a dangerous recommendation to advise people with no experience of the code to do and could lead to other security issues if they run from a non-packaged version just to add this.

They even goes as far as adding this in the official documentation:

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety.

That reasoning is, IMHO, ridiculous and, as I say, if that's the main reason to not allow it then I don't see why they don't change their stance. At worse case it doesn't add anything as they say and it stops this whole question being raised every so often though personally I think the less unnecessary information you give out, the better so would prefer to be able to turn this off.

Until that unlikely u-turn, you're left with:

  1. Setting it minimal (so it will show "Apache") - which is probably good enough
  2. Editing the source code - which is overkill except for the most paranoid, and means the same change needs to be applied on each new version.
  3. Installing ModSecurity - which (at least used to) allow you to overwrite (but not remove) this header to whatever you wanted to hide the server software. Probably overkill to install this just for that, though there are other benefits to a WAF.
  4. Proxy Apache behind another web server which allows you to change this field.
  5. Switch to another web server.

It should be noted however, for points 4 and 5, that most other web servers don't allow you to turn this off either so this is not a problem unique to Apache. For example Nginx doesn't allow this to be turned off without similarly editing the source code.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • 5
    hiding what you got under the hood isnt all just about security. its also to hide from your competitors what tech youre using. the official documentation is clear bunk. be open about it: "its in our interest and pays our bills for you to expose apache" dont make it seem like its something i need – user2914191 Aug 09 '19 at 14:21
  • See my answer: https://stackoverflow.com/questions/35360516/cant-remove-server-apache-header/66667833#66667833 I have mentioned how to remove using source. – Example person Mar 17 '21 at 06:48
15

Header retrieval

To get the headers, this seems to work adequately if on the server (all tests done on Ubuntu 14.04 Trusty Tahr):

curl -v http://localhost:80/ | head

which produces something like:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:17:51 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)

Removing the version number

To remove the version number, edit the file /etc/apache2/conf-enabled/security.conf and amend the lines:

  • ServerTokens OS to ServerTokens Prod
  • ServerSignature On to ServerSignature Off

and restart Apache:

sudo service apache2 restart

You should now get the a response like:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:20:03 GMT
* Server Apache is not blacklisted
< Server: Apache

Removing the word "Apache"

To remove the word Apache completely, first install ModSecurity:

sudo apt-get install libapache2-mod-security2

The following lines appear to not be required (enabling the module and restarting Apache) but for reference:

sudo a2enmod security2
sudo service apache2 restart

Check that the module is enabled:

apachectl -M | grep security

which should show:

security2_module (shared)

Then although you can amend /etc/modsecurity/modsecurity.conf (by renaming modsecurity.conf-recommended), instead amend /etc/apache2/apache.conf which seems easier (note you can use whatever name you want, in this case I've simply used a space):

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Min
    SecServerSignature " "
</IfModule>

(Using Min rather than Full also prevents modules such as mod_fastcgi appearing after the blank server name.)

Then restart Apache:

sudo service apache2 restart

Final check

Now when you run the command:

curl -v http://localhost:80/ | head

you should get:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:31:11 GMT
* Server  is not blacklisted
< Server:
SharpC
  • 6,974
  • 4
  • 45
  • 40
  • It should be noted that **mod_security2** does not come with a viable default configuration, meaning you have to go through and intelligently change it to something that works in your situation. Make sure you test everything, as it has been known to **break things in unexpected places.** – UncaAlby Dec 13 '22 at 19:27
2

I AM NOT RESPONSIBLE FOR ANYTHING CAUSED!
MAKE SURE YOU FOLLOW THE LICENSE FILE INCLUDED WITH IT!

THE FOLLOWING CURRENTLY WORKS FOR APACHE VERSION 2.4.46:

To remove the Server: header completely:

  1. Download the Apache source from https://httpd.apache.org, extract it, and edit it.

  2. Edit the file httpd-2.4.46/server/core.c, and change the following lines:

    enum server_token_type {
    SrvTk_MAJOR,         /* eg: Apache/2 */
    SrvTk_MINOR,         /* eg. Apache/2.0 */
    SrvTk_MINIMAL,       /* eg: Apache/2.0.41 */
    SrvTk_OS,            /* eg: Apache/2.0.41 (UNIX) */
    SrvTk_FULL,          /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */
    SrvTk_PRODUCT_ONLY   /* eg: Apache */
};

    TO:

    enum server_token_type {
    SrvTk_MAJOR,         /* eg: Apache/2 */
    SrvTk_MINOR,         /* eg. Apache/2.0 */
    SrvTk_MINIMAL,       /* eg: Apache/2.0.41 */
    SrvTk_OS,            /* eg: Apache/2.0.41 (UNIX) */
    SrvTk_FULL,          /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */
    SrvTk_PRODUCT_ONLY,  /* eg: Apache */
    SrvTk_NONE           /* removes Server: header */
};

  3. Change this other line:

        if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
    }
    else if (ap_server_tokens == SrvTk_MINIMAL) {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
    }
    else if (ap_server_tokens == SrvTk_MINOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
    }
    else if (ap_server_tokens == SrvTk_MAJOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
    }
    else {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
    }

    TO:

        if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
    }
    else if (ap_server_tokens == SrvTk_MINIMAL) {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
    }
    else if (ap_server_tokens == SrvTk_MINOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
    }
    else if (ap_server_tokens == SrvTk_MAJOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
    }
    else if (ap_server_tokens == SrvTk_NONE) {
        ap_add_version_component(pconf, "");
    }
    else {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
    }

  4. And change this:

        if (!strcasecmp(arg, "OS")) {
        ap_server_tokens = SrvTk_OS;
    }
    else if (!strcasecmp(arg, "Min") || !strcasecmp(arg, "Minimal")) {
        ap_server_tokens = SrvTk_MINIMAL;
    }
    else if (!strcasecmp(arg, "Major")) {
        ap_server_tokens = SrvTk_MAJOR;
    }
    else if (!strcasecmp(arg, "Minor") ) {
        ap_server_tokens = SrvTk_MINOR;
    }
    else if (!strcasecmp(arg, "Prod") || !strcasecmp(arg, "ProductOnly")) {
        ap_server_tokens = SrvTk_PRODUCT_ONLY;
    }
    else if (!strcasecmp(arg, "Full")) {
        ap_server_tokens = SrvTk_FULL;
    }
    else {
        return "ServerTokens takes 1 argument: 'Prod(uctOnly)', 'Major', 'Minor', 'Min(imal)', 'OS', or 'Full'";
    }

    TO:

        if (!strcasecmp(arg, "OS")) {
        ap_server_tokens = SrvTk_OS;
    }
    else if (!strcasecmp(arg, "Min") || !strcasecmp(arg, "Minimal")) {
        ap_server_tokens = SrvTk_MINIMAL;
    }
    else if (!strcasecmp(arg, "Major")) {
        ap_server_tokens = SrvTk_MAJOR;
    }
    else if (!strcasecmp(arg, "Minor") ) {
        ap_server_tokens = SrvTk_MINOR;
    }
    else if (!strcasecmp(arg, "Prod") || !strcasecmp(arg, "ProductOnly")) {
        ap_server_tokens = SrvTk_PRODUCT_ONLY;
    }
    else if (!strcasecmp(arg, "Full")) {
        ap_server_tokens = SrvTk_FULL;
    }
    else if (!strcasecmp(arg, "None")) {
        ap_server_tokens = SrvTk_NONE;
    }
    else {
        return "ServerTokens takes 1 argument: 'Prod(uctOnly)', 'Major', 'Minor', 'Min(imal)', 'OS', 'Full' or 'None'";
    }

  5. Compile Apache from the source you have modified. See: http://httpd.apache.org/docs/current/install.html

  6. Set the following in httpd.conf:

    ServerSignature Off
ServerTokens None

OR:

  1. Download the Apache source from https://httpd.apache.org, extract it, and edit it.
  2. Edit the file httpd-2.4.46/server/core.c, and change the following: 
        if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
    }
    else if (ap_server_tokens == SrvTk_MINIMAL) {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
    }
    else if (ap_server_tokens == SrvTk_MINOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
    }
    else if (ap_server_tokens == SrvTk_MAJOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
    }
    else {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
    }
    TO: 
        if (ap_server_tokens == SrvTk_PRODUCT_ONLY) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT);
    }
    else if (ap_server_tokens == SrvTk_MINIMAL) {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION);
    }
    else if (ap_server_tokens == SrvTk_MINOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MINORREVISION);
    }
    else if (ap_server_tokens == SrvTk_MAJOR) {
        ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
    }
    else {
        ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
    }
    ap_add_version_component(pconf, "");

So, if you change your mind, you could just set ServerTokens to Prod or something else... And the header will be back. Change to None again, it is gone :)

I know this is a late answer. But, still it can help a lot!

Example person
  • 3,198
  • 3
  • 18
  • 45
  • I'd love to try this out but need to locate httpd-2.4.46/server/core.c I'm on 2.4.48 but have a different path: /etc/httpd - where can I find core.c? – infiniteshi Sep 13 '21 at 18:58
  • 2
    @infiniteshi, you need to download the source from httpd.apache.org, use the above answer, compile it and use it. It won't work with normal apt, yum installations I am sure – Example person Sep 14 '21 at 19:51
  • Love this answer but it's hard to see exactly what changes you're making in your "Change TO " examples. In my opinion, they'd be more readable in a "unified diff" format, i.e. https://stackoverflow.com/a/29113646 – egherrmann Sep 23 '21 at 18:22
  • @egherrmann, Hmm... let me add that too, later – Example person Sep 24 '21 at 07:30
2

This aproach:

Header always set "Server" "Generic Web Server"

Only works for 2XX responses. If you have a rewrite rule with a redirection, it's ignored and returns the value set by ServerTokens option.

Finally I've modified the variable it's defining product name in include/ap_release.h. More simple and it can be done with a single sed:

sed 's/AP_SERVER_BASEPRODUCT\ "Apache"/AP_SERVER_BASEPRODUCT\ "Generic Web Server"/' include/ap_release.h
Guillem Parera
  • 21
  • 4
0

If the need is simply hide the information regarding which web-server is running, you can try to add the following row in the configuration file:

Header set "Server" "Generic Web Server".
SharpC
  • 6,974
  • 4
  • 45
  • 40
Sandro Tassa
  • 11
  • Unfortunately "Server" seems to be a restricted parameter which cannot be edited: https://serverfault.com/questions/113650/apache-header-set-server-not-working – SharpC Jan 28 '21 at 10:36
-3

You probably haven't enabled mod_headers.

Check if it's enabled:

root@host: a2query -m headers

If mod headersis enabled output should be something like headers (enabled by ...).

If it's not enabled activate the module by using:

a2enmod headers
maxhb
  • 8,554
  • 9
  • 29
  • 53