Masking Your Web Server’s Identity

by | July 9th, 2007

If you’ve never taken a look at the HTTP response headers your web server is sending out, you might be a little surprised at what you find; by default both Apache and IIS give out more information than most people would think.

Here is an example of the default apache header:

Server=Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.7a

Now that may be fine internally but I don’t know if I’m comfortable announcing that information to everyone who stumbles across my web server on the Internet. By adding a couple directives to the Apache config file:

ServerTokens ProductOnly
ServerSignature Off

…then restarting Apache, you get the following now:


OK, that’s a bit better but if we really want to mask our identity we’ll have to change more than headers. Revealing information leaks out on numerous levels; protection at the application layer is a great start but don’t forget about the lower TCP/IP protocol layer. Ensuring your firewall is blocking the appropriate ports is a critical but it won’t ensure that a hacker won’t be able to determine your OS by your TCP/IP fingerprint. For more information, check out Port 80 Software’s Server Mask.