In default Apache configuration, the server sends HTTP Header with the information of Apache version, modules, Operating System, etc of the Server. The HTTP response header “Server” displays all these details of the server. This information can be used by hackers to try to exploit any vulnerabilities in the Apache, OS or other modules you are running, specially if you are running an older version with known vulnerabilities.
solution is to hide this kind of information.
To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.
Load Apache Headers Module.
First, make sure you have header module installed, use the following command to see all the loaded modules:
Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.
Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:
It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:
From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module
LoadModule headers_module modules/mod_headers.so
Now, do httpd -M again, you should see the loaded modules include headers_module.
After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.
Normally apache would display a trailing footer line, which includes information like server name, version etc, under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number. For details explanation, refer to this apache documentation.
Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.
view plaincopy to clipboardprint?
# If mod_headers module is included, we will disable the Server response header totally
Header unset Server
Header unset X-Powered-By
With the above changes, you should have already unset or removed those apache response headers that expose important security informations.
response headers are added in different places:
Server: added by IIS.
X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
X-Powered-By: added by IIS
To remove all custom headers that disclose too much information - the methods are varied (unfortunately) for IIS 7: Header Name: X-Powered-By
<remove name="X-Powered-By" />
in the <system.webServer> section.
Server Implement an httpModule that strips this header out by calling Response.Headers.Remove("Server") from the PreSendRequestHeaders event.
Header Name: X-AspNet-Version
In the httpRuntime section of the web.config - set:
<httpRuntime enableVersionHeader="false" />
Header Name: X-AspNetMvc-Version
From the Application_Start event in global.asax - execute the following code (C#):
MvcHandler.DisableMvcResponseHeader = true;