Like the needy stranger who tells us his or her entire life story on the occassion of our first meeting, Apache spews out way too much information in every HTTP header. And like the unscrupulous sharpies who take advantage of lonely folks they meet on buses, there are those who would use this information to attack your system!

The default with Apache 1 and 2 is to send out information about the Server, Version, OS, and all modules compiled in. On a Red Hat system with the Apache 1.3.x RPM installed, it looks like this:

[usr-3@felix n]$ curl -s -I http://blahblah.com
HTTP/1.1 200 OK
Date: Fri, 11 Jul 2003 23:26:51 GMT
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2
Last-Modified: Thu, 10 Jul 2003 14:53:52 GMT
ETag: "8019e-d2af-3f0d7e00"
Accept-Ranges: bytes
Content-Length: 53935
Connection: close
Content-Type: text/html

We couldn’t make it much easier to fingerprint our system, and to simplify automated attacks which scan for vulnerable versions of Apache or its modules. Luckily, the solution is just one simple directive away! Simply add the ServerTokens directive to your httpd.conf file, in the global configuration section. This directive, like ServerType, *only* applies globally. It cannot be applied to individual virtual hosts. There are a range of options for this directive which range from the chatty verbosity seen above (“Full”) to a simple one-word response, which we prefer and have implemented by adding the following line to our httpd.conf:
ServerTokens Prod
Which makes our headers look like this:

[usr-3@felix n]$ curl -s -I http://blahblah.com
HTTP/1.1 200 OK
Date: Fri, 11 Jul 2003 23:43:51 GMT
Server: Apache
Last-Modified: Thu, 10 Jul 2003 14:53:52 GMT
ETag: "8019e-d2af-3f0d7e00"
Accept-Ranges: bytes
Content-Length: 53935
Connection: close
Content-Type: text/html

Just one less piece of easy prey for the sharks.