httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Owen Boyle <>
Subject Re: hding apache version in the http header
Date Tue, 29 Jan 2002 17:21:02 GMT
Milind Sawant wrote:

> This version is sent as a http header between the browser and apache.
> Server: Apache/1.3.19 (Unix) mod_ssl/2.8.3 OpenSSL/0.9.5a
> Is it possible to do any configuration on apache to hide the version..

Use the ServerTokens directive, e.g.

ServerTokens ProductOnly

Although bear in mind that you make life difficult for agencies doing

> for security reasons?

Aha! That's another matter... You are obviously under the impression
that if a hacker knows what version of apache you have, he will find it
easier to break in. I would argue that this is not true - a hacker will
try his exploits no matter what version you say you have and if your
system is insecure, he will break in. Security comes through ensuring
you have a well-configured FW and server, with attention paid to all
known holes - not through trying to hide your version.

To put it another way, it's like scraping the word "Chubb" or "Yale" off
your door-lock in the hope that a burglar will be so baffled by this
that he will not attempt to break in :-)


Owen Boyle.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message