You might be getting a little concerned about information that
your web server is making available to the rest of the world. In the
case of Apache, you limit the information contained in the Server header line by configuring the ServerTokens directive with the appropriate
keyword. There are four possible options:
ServerTokens FullThis returns the server type and version, the type of operating system, and information on supporting software, with their version numbers. For example:
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12
OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26ServerTokens OSThis returns the server type and version, and the type of operating system. For example:
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
ServerTokens MinimalThis returns the server type and version. For example:
Server: Apache/1.3.27
ServerTokens
ProductOnlyThis returns only the server type. For example:
Server: Apache
The default Apache configuration file does not include this
directive, not even commented out like many other directives. Its
absence has the same effect as ServerTokens
Full, meaning that the maximum amount of information is
revealed.
You can correct this easily by adding the directive anywhere in
the main section of the file. Note that you can only have a single
directive, which applies to the entire server, across all virtual hosts.
My preference is for the OS option,
which tells the world something about my site, without revealing
possible vulnerabilities.
A related Apache directive is ServerSignature, which determines whether a
string identifying your server is included in the error pages returned
by the server. For example:
Apache/1.3.27 Server at www.craic.com Port 80
This can be set to On, Off, or Email. In the latter case, the message
includes a mailto link to the server
administrator. I recommend you set this to On because it helps determine the source of
error messages.