Apache token for securing your web server

Posted: 1p in Apache

Apache token is generally found in apache main configuration file httpd.conf if it is not present never mind, you can simply add it “eg:ServerTokens Prod”

Syntax for ServerTokens

“ServerTokens Major|Minor|Min|Prod|OS|Full”

The five options will differ from each other. I will explain them one by one.

ServerTokens Full
=============
When the above option is set, the server will send the full information to the remote host.
Information sent will be
Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
which is a big security hole and it is not recommended, because hackers can look for the security holes in Apache 2.0.41, PHP4.2.2 and unix operating systems and can easily hack the server.

ServerTokens OS
============
When the above option is set, the server will send the Web server version and the operating system version.
Information sent will be
Server: Apache/2.0.41 (Unix)
This is also an security issue as the remote user will try to hack the server with security holes in the webserver version and operating system.

ServerTokens Min
============
When the above option is set, the server will send the Web server’s full version number like Apache2.0.41
Information sent will be
Server: Apache/2.0.41

This is also an security issue as the remote user will try to hack the server with security holes in Apache2.0.41 versions.

ServerTokens Minor
==============
When the above option is set, the server will send the Web server’s minor version number like Apache version2.0
Information sent will be
Server: Apache/2.0
This is also an security issue as the remote user will try to hack the server with security holes in Apache 2.0 versions.

ServerTokens Major
==============
When the above option is set, the server will send the Web server’s minor version number like Apache version2
Information sent will be
Server: Apache/2
This is also an security issue as the remote user will try to hack the server with security holes in Apache 2 version.

ServerTokens Prod
=============
When the above option is set, the server will send the Web server’s name alone, which is recommended as the hacker will not have a clue of which version of Apache is running in the server and also which operating system is used.
Information sent will be
===================================================================

Advertisements
Comments
  1. todays date says:

    i love your blog, i have it in my rss reader and always like new things coming up from it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s