Apache Obfuscation can be achieved very easily and the benefits are great – it doesn’t disclose server information such as versions, OS, and does output verbose errors when ‘bad things happen’, and they happen.
Edit apache configuration, usually available here for RedHat based distributions:
Make sure the following settings are present, save, and restart apache:
TraceEnable Off ServerSignature Off ServerTokens Prod
How do we test that this is actually working?
How to TraceEnable
1. curl -v -X TRACE http://… 2. Confirm you get a forbidden response
How test ServerTokens
- Make a request to the website and check the response headers
- Confirm the response contains only “Apache” information in the Server header
How to test ServerSignature
- Make a request to the website for a URL that should respond with Apache server error
- Confirm you don’t see information about the apache server software version, OS, etc.