Web servers play a crucial role in delivering content to users across the internet. Among the many features and configurations that a server administrator must consider, one important setting to be aware of is ServerTokens in the Apache web server. This directive controls how much information the server reveals about itself in HTTP response headers, which can have direct implications for the security of a website.
By default, Apache web servers include quite a bit of information in their headers—data such as software version, operating system, and installed modules. While this might seem benign, it can offer unnecessary information to potential attackers. Configuring ServerTokens properly and turning it “Off” can limit that exposure and strengthen a website’s security posture.
What is ServerTokens?
ServerTokens is a directive in Apache’s configuration that determines what information the server sends in the Server HTTP response header. This information may include the web server version, the operating system, and module details that can potentially be exploited.
For example, a default configuration may result in a header like:
Server: Apache/2.4.54 (Unix) OpenSSL/1.1.1
Such detailed information might be useful for diagnostics but also gives hackers clues about possible vulnerabilities in your setup.
Where is ServerTokens Off?
The phrase “ServerTokens Off” is often used metaphorically by administrators and developers to mean the server is hardened against information disclosure. However, in Apache’s syntax, ServerTokens Off is not a valid command. The correct and most restrictive option is actually:
ServerTokens Prod
This setting causes Apache to return only:
Server: Apache
It hides version numbers and other identifying information, which is ideal for a production environment where security is a high priority.
How to Disable ServerTokens
Disabling or limiting ServerTokens is simple and involves editing the Apache configuration file. Here’s how to do it step-by-step:
- Locate the Apache configuration file, usually located at one of the following paths:
/etc/httpd/conf/httpd.conf(CentOS, RHEL)/etc/apache2/apache2.conf(Debian, Ubuntu)
- Open the file in a text editor with root permissions. For example:
sudo nano /etc/apache2/apache2.conf - Find or add the line:
ServerTokens Prod - Also, consider adding:
ServerSignature Off
This disables the Apache signature on generated pages like 404 errors. - Save and exit the file.
- Restart Apache to apply the changes:
sudo systemctl restart apache2(Debian-based)
sudo systemctl restart httpd(RedHat-based)
Why Should You Disable ServerTokens?
A major component of any cybersecurity strategy involves reducing the amount of information an attacker can use. By setting ServerTokens to Prod, you minimize the data your server reveals, making it harder for malicious users to identify exploitable vulnerabilities tied to specific Apache versions or modules.
This step alone won’t secure your server, but it’s an essential part of a larger hardening process.
FAQs
- Q: Is “ServerTokens Off” a valid Apache directive?
No, “Off” is not a valid value. Use “ServerTokens Prod” for maximum restriction. - Q: What is the difference between ServerTokens and ServerSignature?
ServerTokens controls the HTTP response header; ServerSignature controls the footer on auto-generated pages like error messages. - Q: Do I need to restart Apache after changing the configuration?
Yes, changes won’t take effect until Apache is restarted. - Q: Will this affect the functionality of my website?
No, changing ServerTokens will not impact your website’s performance or behavior—only information disclosure in headers. - Q: Can I test the result of this configuration?
Yes, you can use browser developer tools or tools likecurl -I yourwebsite.comto inspect the “Server” header.
In conclusion, while it’s a small change in the configuration file, setting ServerTokens Prod is a smart move toward making a web server more secure. It limits the exposure of sensitive information that can otherwise aid attackers in targeting known vulnerabilities. Combine this with other best practices and your server will be far less inviting to unwanted attention.