Change Apache httpd “Server:” HTTP header

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












30















One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7










share|improve this question



















  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14















30















One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7










share|improve this question



















  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14













30












30








30


11






One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7










share|improve this question
















One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7







http apache-httpd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 12 '14 at 16:24







Bruce Ediger

















asked Apr 10 '14 at 17:31









Bruce EdigerBruce Ediger

35.1k566119




35.1k566119







  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14












  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14







2




2





Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

– Michael Ozeryansky
Apr 10 '14 at 18:00





Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

– Michael Ozeryansky
Apr 10 '14 at 18:00













@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

– Bruce Ediger
Apr 10 '14 at 18:14





@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

– Bruce Ediger
Apr 10 '14 at 18:14










4 Answers
4






active

oldest

votes


















10














The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






share|improve this answer























  • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

    – Bruce Ediger
    Apr 12 '14 at 16:15


















24














mod_security is great, but you don't really need it to achieve your goal.



after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



Header unset Server

ServerSignature Off
ServerTokens Prod


http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






share|improve this answer


















  • 2





    mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

    – intika
    Aug 12 '15 at 18:13












  • This has no affect for me using Apache 2.2 (patched) on Centos 6.

    – jph
    Apr 19 '16 at 16:35






  • 1





    In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

    – Raptor
    May 6 '16 at 10:07







  • 2





    @Raptor You have to install mod_headers with sudo a2enmod headers

    – Ortomala Lokni
    Nov 15 '16 at 15:58







  • 1





    Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

    – Maris B.
    Jul 11 '18 at 8:28


















12














Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



grep -Ri servertokens /etc/apache2


This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



I simply changed the directives in security.conf and Apache started working as I wanted.



ServerTokens Prod
ServerSignature Off


On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






share|improve this answer






























    1














    I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



    Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




    ServerTokens none




    The response header would look like this:




    HTTP/1.1 200 OK



    Date: Mon, 28 Dec 2015 07:02:45 GMT



    Server:



    Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



    .



    .







    share|improve this answer


















    • 2





      On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

      – jph
      Apr 19 '16 at 16:36










    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f124137%2fchange-apache-httpd-server-http-header%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    4 Answers
    4






    active

    oldest

    votes








    4 Answers
    4






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    10














    The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



    With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






    share|improve this answer























    • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

      – Bruce Ediger
      Apr 12 '14 at 16:15















    10














    The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



    With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






    share|improve this answer























    • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

      – Bruce Ediger
      Apr 12 '14 at 16:15













    10












    10








    10







    The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



    With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






    share|improve this answer













    The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



    With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 10 '14 at 18:31









    ChipsterChipster

    30623




    30623












    • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

      – Bruce Ediger
      Apr 12 '14 at 16:15

















    • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

      – Bruce Ediger
      Apr 12 '14 at 16:15
















    This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

    – Bruce Ediger
    Apr 12 '14 at 16:15





    This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

    – Bruce Ediger
    Apr 12 '14 at 16:15













    24














    mod_security is great, but you don't really need it to achieve your goal.



    after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



    Header unset Server

    ServerSignature Off
    ServerTokens Prod


    http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






    share|improve this answer


















    • 2





      mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

      – intika
      Aug 12 '15 at 18:13












    • This has no affect for me using Apache 2.2 (patched) on Centos 6.

      – jph
      Apr 19 '16 at 16:35






    • 1





      In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

      – Raptor
      May 6 '16 at 10:07







    • 2





      @Raptor You have to install mod_headers with sudo a2enmod headers

      – Ortomala Lokni
      Nov 15 '16 at 15:58







    • 1





      Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

      – Maris B.
      Jul 11 '18 at 8:28















    24














    mod_security is great, but you don't really need it to achieve your goal.



    after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



    Header unset Server

    ServerSignature Off
    ServerTokens Prod


    http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






    share|improve this answer


















    • 2





      mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

      – intika
      Aug 12 '15 at 18:13












    • This has no affect for me using Apache 2.2 (patched) on Centos 6.

      – jph
      Apr 19 '16 at 16:35






    • 1





      In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

      – Raptor
      May 6 '16 at 10:07







    • 2





      @Raptor You have to install mod_headers with sudo a2enmod headers

      – Ortomala Lokni
      Nov 15 '16 at 15:58







    • 1





      Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

      – Maris B.
      Jul 11 '18 at 8:28













    24












    24








    24







    mod_security is great, but you don't really need it to achieve your goal.



    after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



    Header unset Server

    ServerSignature Off
    ServerTokens Prod


    http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






    share|improve this answer













    mod_security is great, but you don't really need it to achieve your goal.



    after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



    Header unset Server

    ServerSignature Off
    ServerTokens Prod


    http://httpd.apache.org/docs/2.4/mod/core.html#serversignature







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Mar 31 '15 at 22:55









    Matt RyanMatt Ryan

    34123




    34123







    • 2





      mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

      – intika
      Aug 12 '15 at 18:13












    • This has no affect for me using Apache 2.2 (patched) on Centos 6.

      – jph
      Apr 19 '16 at 16:35






    • 1





      In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

      – Raptor
      May 6 '16 at 10:07







    • 2





      @Raptor You have to install mod_headers with sudo a2enmod headers

      – Ortomala Lokni
      Nov 15 '16 at 15:58







    • 1





      Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

      – Maris B.
      Jul 11 '18 at 8:28












    • 2





      mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

      – intika
      Aug 12 '15 at 18:13












    • This has no affect for me using Apache 2.2 (patched) on Centos 6.

      – jph
      Apr 19 '16 at 16:35






    • 1





      In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

      – Raptor
      May 6 '16 at 10:07







    • 2





      @Raptor You have to install mod_headers with sudo a2enmod headers

      – Ortomala Lokni
      Nov 15 '16 at 15:58







    • 1





      Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

      – Maris B.
      Jul 11 '18 at 8:28







    2




    2





    mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

    – intika
    Aug 12 '15 at 18:13






    mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

    – intika
    Aug 12 '15 at 18:13














    This has no affect for me using Apache 2.2 (patched) on Centos 6.

    – jph
    Apr 19 '16 at 16:35





    This has no affect for me using Apache 2.2 (patched) on Centos 6.

    – jph
    Apr 19 '16 at 16:35




    1




    1





    In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

    – Raptor
    May 6 '16 at 10:07






    In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

    – Raptor
    May 6 '16 at 10:07





    2




    2





    @Raptor You have to install mod_headers with sudo a2enmod headers

    – Ortomala Lokni
    Nov 15 '16 at 15:58






    @Raptor You have to install mod_headers with sudo a2enmod headers

    – Ortomala Lokni
    Nov 15 '16 at 15:58





    1




    1





    Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

    – Maris B.
    Jul 11 '18 at 8:28





    Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

    – Maris B.
    Jul 11 '18 at 8:28











    12














    Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



    grep -Ri servertokens /etc/apache2


    This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



    I simply changed the directives in security.conf and Apache started working as I wanted.



    ServerTokens Prod
    ServerSignature Off


    On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



    I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






    share|improve this answer



























      12














      Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



      grep -Ri servertokens /etc/apache2


      This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



      I simply changed the directives in security.conf and Apache started working as I wanted.



      ServerTokens Prod
      ServerSignature Off


      On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



      I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






      share|improve this answer

























        12












        12








        12







        Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



        grep -Ri servertokens /etc/apache2


        This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



        I simply changed the directives in security.conf and Apache started working as I wanted.



        ServerTokens Prod
        ServerSignature Off


        On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



        I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






        share|improve this answer













        Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



        grep -Ri servertokens /etc/apache2


        This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



        I simply changed the directives in security.conf and Apache started working as I wanted.



        ServerTokens Prod
        ServerSignature Off


        On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



        I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Oct 27 '15 at 15:18









        slmaqslmaq

        12112




        12112





















            1














            I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



            Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




            ServerTokens none




            The response header would look like this:




            HTTP/1.1 200 OK



            Date: Mon, 28 Dec 2015 07:02:45 GMT



            Server:



            Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



            .



            .







            share|improve this answer


















            • 2





              On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

              – jph
              Apr 19 '16 at 16:36















            1














            I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



            Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




            ServerTokens none




            The response header would look like this:




            HTTP/1.1 200 OK



            Date: Mon, 28 Dec 2015 07:02:45 GMT



            Server:



            Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



            .



            .







            share|improve this answer


















            • 2





              On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

              – jph
              Apr 19 '16 at 16:36













            1












            1








            1







            I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



            Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




            ServerTokens none




            The response header would look like this:




            HTTP/1.1 200 OK



            Date: Mon, 28 Dec 2015 07:02:45 GMT



            Server:



            Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



            .



            .







            share|improve this answer













            I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



            Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




            ServerTokens none




            The response header would look like this:




            HTTP/1.1 200 OK



            Date: Mon, 28 Dec 2015 07:02:45 GMT



            Server:



            Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



            .



            .








            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Dec 28 '15 at 7:46









            Mohab ElsayedMohab Elsayed

            111




            111







            • 2





              On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

              – jph
              Apr 19 '16 at 16:36












            • 2





              On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

              – jph
              Apr 19 '16 at 16:36







            2




            2





            On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

            – jph
            Apr 19 '16 at 16:36





            On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

            – jph
            Apr 19 '16 at 16:36

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f124137%2fchange-apache-httpd-server-http-header%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?