~ 1 min read

Apache Obfuscation by disabling trace and server tokens

share this story on
Preventative measures to mitigate leaking the server software running

Apache Obfuscation can be achieved very easily and the benefits are great – it doesn’t disclose server information such as versions, OS, and does output verbose errors when ‘bad things happen’, and they happen.


Edit apache configuration, usually available here for RedHat based distributions: /etc/httpd/conf/httpd.conf

Make sure the following settings are present, save, and restart apache:

TraceEnable Off  
ServerSignature Off  
ServerTokens Prod

How do we test that this is actually working?

How to TraceEnable

1. curl -v -X TRACE http://…  
2. Confirm you get a forbidden response

How test ServerTokens

  1. Make a request to the website and check the response headers
  2. Confirm the response contains only “Apache” information in the Server header

How to test ServerSignature

  1. Make a request to the website for a URL that should respond with Apache server error
  2. Confirm you don’t see information about the apache server software version, OS, etc.