httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Hiding webserver name/version from clients
Date Thu, 03 Jul 2003 09:41:08 GMT
>-----Original Message-----
>From: Al Caponi []
>If I configure Apache not to give any hint on its web pages (e.g. error
>pages) that the web server is Apache, is it possible for an 
>advanced user to
>find out the origin of the webserver through other means?
>Is it possible, for security reasons, in Apache 1.x or 2.x to 
>totally hide
>the webserver name/version from the clients? I.e. If I don't 
>want my clients
>to know that the server they are connecting to is an Apache etc.

See "ServerTokens" to obscure the server details. The minimum is
"Apache" which may not be sufficiently obscure for you. To obscure it
further, you can always edit the source and recompile (the power of
OSS). The simplest way would be to redefine SERVER_BASEPRODUCT in
src/include/httpd.h. This is normally set to "Apache" but you could
redefine it to "My Secret Webserver", if you think it'll do any good...

This question crops up every few months from someone who's read a
securty webpage and decided that advertising the server name is a big
security risk. Personally, I think that's rubbish - hackers do not
bother to check your server type or version before attacking you (if
they did, why does your apache server continually get pestered by Code
Red and Nimda worms which afflict only IIS?) Secondly, if you do have a
vulnerable server, they'll find you anyway - hiding your version is no

Removing the server signature is about as useful as painting out the
word "Yale" on a padlock - if nobody knows who made the padlock, does it
make it more secure?

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


>Many thanks,
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message