Secure Apache ServerTokes and ServerSignature directives

November 30, 2011

There are two config directives that controls Apache version. The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default. The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules. By setting this to Prod you only displays back Apache as server name and no version number displayed back.


Modify your httpd.conf file and change the directives to look like this:

ServerSignature Off
ServerTokens Prod