Ny reason to keep the “Server” response header in Apache

apache-2.2http-headers

My server responds with Server: Apache/2.2.15 (CentOS) to all requests. I guess that this gives away my server architecture making it easier to hack attempts.

Is this ever useful to a web browser? Should I keep it on?

Best Answer

In my opinion, it is best to mask this as much as possible. It's one of the tool you use to hack a web site - discover its technology, use the known flaws of that technology. The same reason why security best practice a while back started promoting to have urls in the form "/view/page" instead of "/view/page.jsp" or "/view/page.asp"... so the underlying technology would not be exposed.

There are some discussions about this such as https://stackoverflow.com/questions/843917/why-does-the-server-http-header-exist and http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html and obviously Hacking Exposed book.

Also this on the Security SE https://security.stackexchange.com/questions/23256/what-is-the-http-server-response-header-field-used-for

But keep in mind that this is not an end-all to securing your servers. Just one more step in the right direction. It does not prevent any hack to be executed. It just make it less visible as to what hack should be performed.

Best Answer

Related Solutions

Graceful Apache restart and Keep-Alive connections

Way of disabled byte-range requests in Apache

Related Topic