Sunday, December 21, 2014

Remove Server and PHP info from response header

Below is a common HTTP Response Header:

HTTP/1.1 200 OK
Date: Wed, 21 Dec 2014 01:18:27 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
To keep your server safe from attack, you should hide all unnecessary info about your system.With apache,this was control by ServerTokens nd Server Signature config directive. From apache manual,we will find out all config value of ServerTokens and its sample out.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

Obviously, we should turn our config to ServerTokens Prod.To stop apache
from exposing info in related error page,need to turn off ServerSignature.
ServerSignature off

To hide the php related information,locate php config file, add:
expose_php off

No comments:

Post a Comment