httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <>
Subject New FAQ: Changing Server: header info.
Date Tue, 25 Jun 2002 19:28:09 GMT
Got tired of answering this one on IRC. Feedback requested.

How can I change the information that Apache returns about itself
in the headers?

When a client connects to Apache, part of the information returned in
the headers is the name "Apache" Additional information that can be sent
is the version number, such as "1.3.26", the operating system, and a
list of non-standard modules you have installed.

Frequently, people want to remove this information, under the mistaken
understanding that this will make the system more secure. This is
probably not the case, as the same exploits will likely be attempted
regardless of the header information you provide.

There are, however, two answers to this question: the correct answer,
and the answer that you are probably looking for.

The correct answer to this question is that you should use the
ServerTokens directive to alter the quantity of information which is
passed in the headers. Setting this directive to "Prod" will pass the
lease possible amount of information:

Server: Apache

The answer you are probably looking for is how to make Apache lie about
what what it is, ie send something like:

Server: Bob's Happy HTTPd Server

In order to do this, you will need to modify the Apache source code and
rebuilt Apache. This is not advised, as it is almost certain not to
provide you with the added security you think that you are gaining. The
exact method of doing this is left as an exercise for the reader, as we
are not keen on helping you do something that is intrinsically a bad

Rich Bowen -
Author - Apache Administrator's Guide

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message