httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon Ashford" <Simon.Ashf...@npl.co.uk>
Subject RE: [users@httpd] Removing or overwriting "Server" header field.
Date Wed, 24 Jan 2007 17:50:20 GMT

Hmmm...

Doesn't seem to work.  Still get "Server: Apache" in the
HTTP headers regardless of SecServerSignature.

Get the impression from various reading that the Server
header is added by Apache pretty much at the very end of
processing, after anything done by other modules.

Probably something the developers ought to adddress. It would
be nice, for example, to be able to put "ServerTokens None"
or some such in the basic configuration file without needing
any other modules loaded...


Simon Ashford.


-----Original Message-----
From: Pierre-Yves Bonnetain [mailto:py.bonnetain@ba-cst.com]
Sent: 24 January 2007 14:53
To: users@httpd.apache.org
Subject: Re: [users@httpd] Removing or overwriting "Server" header
field.


Hello,

Simon Ashford wrote:
> We recently had a security audit done and one of the
> points noted was that it was possible to identify the
> web server software in use from the "Server" header.
> So I would like to remove or completely overwrite
> this header with something meaningless.

mod_security and SecServerSignature directive.
--
Pierre-Yves Bonnetain
B&A Consultants - Sécurité informatique - www.ba-cst.com
Tel. : +33 (0) 567 040 403 - Fax : +33 (0) 567 737 829

-------------------------------------------------------------------
This e-mail and any attachments may contain confidential and/or
privileged material; it is for the intended addressee(s) only.
If you are not a named addressee, you must not use, retain or
disclose such information.

NPL Management Ltd cannot guarantee that the e-mail or any
attachments are free from viruses.

NPL Management Ltd. Registered in England and Wales. No: 2937881
Registered Office: Serco House, 16 Bartley Wood Business Park,
                   Hook, Hampshire, United Kingdom  RG27 9UY
-------------------------------------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message