site logoTune The Web
I've written a book! - click here to view or buy "HTTP/2 in Action" from Manning. Use code 39pollard to get 39% off!

Reduce or remove server headers

This page was originally created on and last edited on .

Introduction

Web servers often give full version information in a HTTP Header by default. For example Apache will show something like this:

Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

In my opinion there is no real reason or need to show this much information and, I definitely do not think it should be the default. It is easy to look up particular vulnerabilities once you know the version number. Some people at Apache disagree, and have even gone so far as adding this to the official documentation:

Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of "security through obscurity" is a myth and leads to a false sense of safety.

Now personally I disagree, and certainly when they are sending detailed version information and the OS information. Security by obscurity shouldn't be your only form of defence, but that doesn't mean security is any better by willing stating you're running vulnerably versions of software, if you haven't been able to upgrade them yet! Granted there are ways of finger-printing the server (e.g. an Apache server will send certain headers and in certain order) but that's not 100% reliable and even then it won't give up OS information. So I recommend removing this header, or when this is not possibly (e.g. for Apache) then at least changing it to provide the minimum information.

Apache by default will also give server signature information on certain error pages. For example the default 404 page will show that you are running Apache and potentially the webmaster e-mail address you have configured. Again this is unnecessary information for the web server to show in my opinion.

Other back end servers (e.g. Jboss, NodeJs, PHP) also set the "X-Powered-By" HTTP Header by default, which similarly is an unnecessary risk to display the software you are using. It's of no benefit to your website visitors so switch them off.

How to set it up

The following settings in Apache will reduce server headers:

#Reduce Server HTTP Header to the minimum product (Apache) rather than showing detailed version information of the server and operating system ServerTokens Prod #Remove the footer from error pages, which details the version numbers: ServerSignature Off # Hide X-Powered-By and Server headers, sent by downstream application servers: # Note you need both below as the "always" one doesn't work with Jboss for some reason Header always unset "X-Powered-By" Header unset "X-Powered-By"

There will be equivalent settings for other web servers and this link may help with the most common ones.

Note it is not possible to fully remove the Server header in Apache without resorting to editing the source code and, although this is not actually that difficult, I do not think it is necessary to go that far. It will make future upgrades more complicated and editing source code most people will not understand seems more dangerous than leaving this in place. Making this configurable has been proposed several times on the Apache httpd-dev mailing list, but the core developers there seem stubbornly against this.

Support

All web servers, but Apache allow ways of removing server headers easily. No web browser particularly cares if the server header is set or not from my experience, and certainly not if it's set to the minimal settings.

The downsides

Main downside is that it's not easy to remove this header in Apache and that the default setting is not the minimal as it should be!

Summary

There is some controversy about reducing the Server header and, while I can understand it will make reporting on web server usage more difficult and it might not be as easy to debug issues without knowing the specific version number, but I do not think the HTTP Header for every response is the place to put this information. I think the risk of displaying unnecessary software (and potentially OS) version numbers is such that all servers should default this to off, or at the very least allow this to be set. I recommend turning this off or, where that is not possible like in Apache, by reducing it to the minimum.

This page was originally created on and last edited on .

How useful was this page?
Loading interactions…