How to Configure your Web Server to Not Disclose its Identity

If you are running a web server, that web server is probably showing the world what type of server it is, and possibly its version number. This information is ignored by most people, with the exception of hackers, who use this information to launch targeted attacks against your web server and version. In addition, if the version of your web server is known to be vulnerable to a specific exploit, the hacker would just need to use the exploit as part of his attack on your server.

An Acunetix Online Vulnerability Scanner (OVS) network scan would highlight and report that your web server is providing such information, and would recommend limiting the information provided by your web server. This does not solve any vulnerabilities, and thus does not remove the need to install updates, however it makes it slightly more difficult for the hacker.

The following is an example of the header sent from a web server that is exposing too much information:

HTTP/1.1 200 OK
Date: Thu, 12 Jun 2014 14:15:01 GMT
Server: Apache/2.2.21 (Win32) PHP/5.4.7
Connection: close
Content-Type: text/html; charset=iso-8859-1

In this article, we will show you how to configure the 3 most popular web servers, Apache, IIS and nginx, to limit the information provided about the web server application being used.

Limiting information provided by Apache

You can limit the information that Apache presents by creating / editing the following directives in httpd.conf

  • ServerTokens Prod
    This will configure Apache to not send any version numbers in the HTTP header, so that the server line will be: Server: Apache
  • ServerSignature Off
    This will ensure that Apache does not display the server version in the footer of server generated pages.
  • The above solution would still not allow you to hide the fact that you are using Apache, since the Server HTTP header will still say Apache. This can be altered using using modSecurity.

Limiting Information provided by IIS

IIS will also expose its version in the HTTP responses.

Microsoft provides URLScan, which can be used to remove server information from HTTP responses sent by IIS. URLScan requires IIS6 Metabase compatibility to work. Additionally, the configuration made to IIS is global. If you want to setup this configuration on a site-by-site basis, check out this article.

  • Enable Metabase Compatibility. Find out how to enable Metabase compatibility.
  • Install URLScan
  • Open the URLScan.ini file with a text editor. The file is usually located in the %WINDIR%System32InetsrvURLscan directory.
  • Search for the key RemoveServerHeader, which by default is set to 0. Set the value to 1 in order to remove the Server header.

Limiting Information provided by nginx

You can limit the information that nginx presents by creating / editing the following directive in nginx.conf.

Find the http section, this section defines configurations for nginx’s HttpCoreModule. Uncomment (remove the ‘#’ symbol) or add the below directive:

server_tokens off;

This will configure nginx not send any version numbers in the HTTP header.

Removing the server name is possible, however, since nginx modules cannot be dynamically loaded, you would need to recompile nginx from source with the HttpHeadersMoreModule nginx module.

Share this post
  • For IIS 7 and above, add an URL Rewrite outboundRule to your website’s web.config file:

    in the node. This does not really remove the Server response header, but empties its result. You can also rewrite it with bogus information if you’d like.

    • Web.config code:

      <outboundRules rewriteBeforeCache=”true”>
      <rule name=”Remove Server header”>
      <match serverVariable=”RESPONSE_Server” pattern=”.+” />
      <action type=”Rewrite” value=”” />

  • Hi, can you specify how to manage this with .htaccess on apache? I dont have the httpd.conf file to configure, but i can make changes to the .htaccess file. Many thanks

    • Hi, I believe you should still be able to use ServerSignature Off in your .htaccess file. I would advise you to take a backup of your .htaccess file before you make any changes, just in case something goes wrong.

  • Leave a Reply

    Your email address will not be published.