Is there any reason to keep the "Server" response header in Apache

http-headers apache-2.2

My server responds with Server: Apache/2.2.15 (CentOS) to all requests. I guess that this gives away my server architecture making it easier to hack attempts.

Is this ever useful to a web browser? Should I keep it on?


In my opinion, it is best to mask this as much as possible. It's one of the tool you use to hack a web site - discover its technology, use the known flaws of that technology. The same reason why security best practice a while back started promoting to have urls in the form "/view/page" instead of "/view/page.jsp" or "/view/page.asp"... so the underlying technology would not be exposed.

There are some discussions about this such as https://stackoverflow.com/questions/843917/why-does-the-server-http-header-exist and http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html and obviously Hacking Exposed book.

Also this on the Security SE https://security.stackexchange.com/questions/23256/what-is-the-http-server-response-header-field-used-for

But keep in mind that this is not an end-all to securing your servers. Just one more step in the right direction. It does not prevent any hack to be executed. It just make it less visible as to what hack should be performed.


You can change the Server header if you want, but don't count on this for security. Only keeping up to date will do that, since an attacker can just ignore your Server header and try every known exploit from the beginning of time.

RFC 2616 states, in part:

Server implementors are encouraged to make this field a configurable option.

And Apache did, with the ServerTokens directive. You can use this if you wish, but again, don't think that it's going to magically prevent you from getting attacked.


Showing the full string, with version information, could leave you at an increased risk from 0day attacks if the attacker has been keeping a list of which servers run what software.

That being said, you shouldn't expect that hiding a server string will protect you from hacking attempts. There are ways to fingerprint a server based on the way responses and errors are reported.

I disable my strings, as far as I can but I don't sweat about the ones I can't hide (e.g. OpenSSH).

Related

How do I recall a specific command from command history, without executing it
Struggling to remove server from Rack
Why does the command 'apt install php' try to install Apache?
What brand(s) of hard disk has the lowest failure rates? [closed]
Writing a powershell script to copy files with certain extension from one folder to another
Check if directory exists using home character (~) in bash fails
Is there a safe way to store passwords used for ssh by a script?
POSTFIX: Limiting the rate at which a particular user can send email
Use LDAP for MySQL authentication?
Defrag in Windows VM?
Is the gang scheduling employed by VMware a serious drawback?
How to send an e-mail after a cron job [duplicate]