I am using Amazon Linux and running Apache 2.4.39. I have added "Header unset Server" along with "ServerToken Prod" and "ServerSignature Off".
However, I still see "Server: Apache" in the headers. Further I tried setting Server header to null using below: Header set Server ""
This works and shows the null header however, it works only for index.php.
I want this to work for all the pages supported by the website like .gif, admin.css etc.
Please suggest!
Thanks in advance!
Try my suggested fix here:
sudo apt-get install libapache2-mod-security2
then add this to the end of /etc/apache2/apache.conf:
<IfModule security2_module>
SecRuleEngine on
ServerTokens Min
SecServerSignature " "
</IfModule>
and restart Apache:
sudo service apache2 restart
Here is my contribution which appends to the file and all in one.
curl -skIL localhost
sudo apt-get install -y libapache2-mod-security2
cat >> /etc/apache2/apache2.conf << 'EOL'
<IfModule security2_module>
SecRuleEngine on
ServerTokens Min
SecServerSignature " "
</IfModule>
EOL
sudo service apache2 restart
curl -skIL localhost
Example:
root@CoolServerName:/home/ubuntu# curl -skIL localhost
HTTP/1.1 400 Bad Request
Date: Wed, 09 Nov 2022 18:15:15 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-
root@CoolServerName:/home/ubuntu# cat >> /etc/apache2/apache2.conf << 'EOL'
<IfModule security2_module>
SecRuleEngine on
ServerTokens Min
SecServerSignature " "
</IfModule>
EOL
root@CoolServerName:/home/ubuntu# sudo service apache2 restart
root@CoolServerName:/home/ubuntu# curl -skIL localhost
HTTP/1.1 400 Bad Request
Date: Wed, 09 Nov 2022 18:16:45 GMT
Server:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
root@CoolServerName:/home/ubuntu#
