When accessing a website, some server programs transmit additional information, such as the server version used, the operating system used, or plug-ins used.

Attackers could use this information to exploit vulnerabilities of the software used. You can make it harder for attackers by hiding any sensitive information.

Hiding Apache Server Version

There are settings for the frequently used Apache web server that prevent sensitive information being released.

Open your Apache web server configurations and apply the following settings:

ServerTokens Prod

ServerSignature Off

Some Apache web servers are configured to deliver a detailed status report as a website. In this case, proceed as follows:

  • Check if your web server offers a status report.
    To do this, enter your domain in your browser followed by /server-info (e.g. http://example.com/server-info
    If a page with technical information about your web server appears, your web server is vulnerable.
  • Look for the following block in your web server configuration:
    <Location "/server-status">
        SetHandler server-status
    </Location>
  • Adjust the configuration so that the page is not publicly accessible:
    <Location "/server-status">
        SetHandler server-status
        Order deny,allow
        Deny from all
    </Location>
  • Restart the Apache web server to load the customised configuration.

Please refer to the official Apache-Documentation for further information.