I have a Rails application served using Apache 2 and Phusion Passenger. As a security measure I'm trying to supress all server-related HTTP headers. I've successfully turned off the Apache ones, but I'm having trouble using mod_headers to supress the Passenger ones. I've enabled mod_headers using the a2enmod command and restarted the Apache process, but the X-Powered-By and X-Runtime headers still appear.
This is my vhost file:
<VirtualHost *:80>
ServerAdmin webmaster@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/deploy/public_html/railsapp/current/public
LogLevel warn
ErrorLog /home/deploy/public_html/railsapp/shared/log/error.log
CustomLog /home/deploy/public_html/railsapp/shared/log/access.log combined
# Suppress Phusion Passenger HTTP headers
<Location *>
<IfModule mod_headers.c>
Header unset X-Runtime
Header unset X-Powered-By
</IfModule>
</Location>
</VirtualHost>
- What am I doing wrong?
Best Answer
From the mod_headers docs:
The directives provided by mod_headers can occur almost anywhere within the server configuration. They are valid in the main server config and virtual host sections, inside , and sections, and within .htaccess files.
If you want this to apply to the whole vhost, why put it inside
<Location>tags? Just put the directives inside the main vhost config.I haven't tested this so apologies in advance if it's incorrect.