Change Apache httpd “Server:” HTTP header












30















One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7










share|improve this question




















  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14
















30















One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7










share|improve this question




















  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14














30












30








30


11






One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7










share|improve this question
















One of the HTTP headers that the Apache httpd sends back with response data is "Server". For example, my web server machine is relatively up-to-date Arch Linux. It sends back headers closely resembling the following:



HTTP/1.1 404 Not Found
Date: Thu, 10 Apr 2014 17:19:27 GMT
Server: Apache/2.4.9 (Unix)
Content-Length: 1149
Connection: close
Content-Type: text/html


I have ServerSignature off in /etc/httpd/conf/httpd.conf, but the "Server:" header still appears. I have experimented with mod_headers. I have it enabled, and I've tried a few things:



<IfModule headers_module>
Header set ProcessingTime "%D"
Header set Server BigJohn
</IfModule>


After stopping and starting httpd with the above configuration, the HTTP headers include something like ProcessingTime: 1523, but the "Server:" header line remains unchanged. So I know that "mod_headers" is installed and enabled, and working, but not as I desire.



I see that something called "mod_security" claims to do this, but I don't want all the rest of the baggage that mod_security carries with it.



UPDATE:



Once you get mod_security installed, you only need a few directives:



<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>


That's for mod_security 2.7.7







http apache-httpd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 12 '14 at 16:24







Bruce Ediger

















asked Apr 10 '14 at 17:31









Bruce EdigerBruce Ediger

35k566119




35k566119








  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14














  • 2





    Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

    – Michael Ozeryansky
    Apr 10 '14 at 18:00











  • @MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

    – Bruce Ediger
    Apr 10 '14 at 18:14








2




2





Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

– Michael Ozeryansky
Apr 10 '14 at 18:00





Have you restarted apache since changing the conf file? Also I've never seen the file called 'httpd.com', usually it's called 'httpd.conf'.

– Michael Ozeryansky
Apr 10 '14 at 18:00













@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

– Bruce Ediger
Apr 10 '14 at 18:14





@MichaelOzeryansky - thanks for catching the misspelling. It is "httpd.conf" I do stop and start httpd after changing httpd.conf.

– Bruce Ediger
Apr 10 '14 at 18:14










5 Answers
5






active

oldest

votes


















10














The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






share|improve this answer
























  • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

    – Bruce Ediger
    Apr 12 '14 at 16:15



















24














mod_security is great, but you don't really need it to achieve your goal.



after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



Header unset Server

ServerSignature Off
ServerTokens Prod


http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






share|improve this answer



















  • 2





    mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

    – intika
    Aug 12 '15 at 18:13













  • This has no affect for me using Apache 2.2 (patched) on Centos 6.

    – jph
    Apr 19 '16 at 16:35






  • 1





    In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

    – Raptor
    May 6 '16 at 10:07








  • 2





    @Raptor You have to install mod_headers with sudo a2enmod headers

    – Ortomala Lokni
    Nov 15 '16 at 15:58








  • 1





    Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

    – Maris B.
    Jul 11 '18 at 8:28



















12














Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



grep -Ri servertokens /etc/apache2


This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



I simply changed the directives in security.conf and Apache started working as I wanted.



ServerTokens Prod
ServerSignature Off


On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






share|improve this answer































    1














    I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



    Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




    ServerTokens none




    The response header would look like this:




    HTTP/1.1 200 OK



    Date: Mon, 28 Dec 2015 07:02:45 GMT



    Server:



    Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



    .



    .







    share|improve this answer



















    • 2





      On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

      – jph
      Apr 19 '16 at 16:36



















    0














    ServerTokens none shows error in the application





    share








    New contributor




    Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.




















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f124137%2fchange-apache-httpd-server-http-header%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      10














      The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



      With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






      share|improve this answer
























      • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

        – Bruce Ediger
        Apr 12 '14 at 16:15
















      10














      The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



      With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






      share|improve this answer
























      • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

        – Bruce Ediger
        Apr 12 '14 at 16:15














      10












      10








      10







      The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



      With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."






      share|improve this answer













      The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.



      With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Apr 10 '14 at 18:31









      ChipsterChipster

      30623




      30623













      • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

        – Bruce Ediger
        Apr 12 '14 at 16:15



















      • This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

        – Bruce Ediger
        Apr 12 '14 at 16:15

















      This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

      – Bruce Ediger
      Apr 12 '14 at 16:15





      This does work, thank you very much. I have to note that mod_security is not one of Arch Linux's ordinary packages. There's a PKGBUILD in the AUR, but it hasn't been updated since 2011 (as of April 12, 2014) and it references a really old version of mod_security. As always, your distro may vary.

      – Bruce Ediger
      Apr 12 '14 at 16:15













      24














      mod_security is great, but you don't really need it to achieve your goal.



      after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



      Header unset Server

      ServerSignature Off
      ServerTokens Prod


      http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






      share|improve this answer



















      • 2





        mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

        – intika
        Aug 12 '15 at 18:13













      • This has no affect for me using Apache 2.2 (patched) on Centos 6.

        – jph
        Apr 19 '16 at 16:35






      • 1





        In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

        – Raptor
        May 6 '16 at 10:07








      • 2





        @Raptor You have to install mod_headers with sudo a2enmod headers

        – Ortomala Lokni
        Nov 15 '16 at 15:58








      • 1





        Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

        – Maris B.
        Jul 11 '18 at 8:28
















      24














      mod_security is great, but you don't really need it to achieve your goal.



      after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



      Header unset Server

      ServerSignature Off
      ServerTokens Prod


      http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






      share|improve this answer



















      • 2





        mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

        – intika
        Aug 12 '15 at 18:13













      • This has no affect for me using Apache 2.2 (patched) on Centos 6.

        – jph
        Apr 19 '16 at 16:35






      • 1





        In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

        – Raptor
        May 6 '16 at 10:07








      • 2





        @Raptor You have to install mod_headers with sudo a2enmod headers

        – Ortomala Lokni
        Nov 15 '16 at 15:58








      • 1





        Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

        – Maris B.
        Jul 11 '18 at 8:28














      24












      24








      24







      mod_security is great, but you don't really need it to achieve your goal.



      after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



      Header unset Server

      ServerSignature Off
      ServerTokens Prod


      http://httpd.apache.org/docs/2.4/mod/core.html#serversignature






      share|improve this answer













      mod_security is great, but you don't really need it to achieve your goal.



      after all mods have been included in httpd.conf you can simply unset the headers of your choosing.



      Header unset Server

      ServerSignature Off
      ServerTokens Prod


      http://httpd.apache.org/docs/2.4/mod/core.html#serversignature







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Mar 31 '15 at 22:55









      Matt RyanMatt Ryan

      34123




      34123








      • 2





        mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

        – intika
        Aug 12 '15 at 18:13













      • This has no affect for me using Apache 2.2 (patched) on Centos 6.

        – jph
        Apr 19 '16 at 16:35






      • 1





        In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

        – Raptor
        May 6 '16 at 10:07








      • 2





        @Raptor You have to install mod_headers with sudo a2enmod headers

        – Ortomala Lokni
        Nov 15 '16 at 15:58








      • 1





        Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

        – Maris B.
        Jul 11 '18 at 8:28














      • 2





        mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

        – intika
        Aug 12 '15 at 18:13













      • This has no affect for me using Apache 2.2 (patched) on Centos 6.

        – jph
        Apr 19 '16 at 16:35






      • 1





        In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

        – Raptor
        May 6 '16 at 10:07








      • 2





        @Raptor You have to install mod_headers with sudo a2enmod headers

        – Ortomala Lokni
        Nov 15 '16 at 15:58








      • 1





        Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

        – Maris B.
        Jul 11 '18 at 8:28








      2




      2





      mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

      – intika
      Aug 12 '15 at 18:13







      mod_sec is needed for a custom text to hide completely the work apache otherwise your solution is good and simple :)

      – intika
      Aug 12 '15 at 18:13















      This has no affect for me using Apache 2.2 (patched) on Centos 6.

      – jph
      Apr 19 '16 at 16:35





      This has no affect for me using Apache 2.2 (patched) on Centos 6.

      – jph
      Apr 19 '16 at 16:35




      1




      1





      In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

      – Raptor
      May 6 '16 at 10:07







      In Apache 2.4, it is reported as Syntax error : Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration

      – Raptor
      May 6 '16 at 10:07






      2




      2





      @Raptor You have to install mod_headers with sudo a2enmod headers

      – Ortomala Lokni
      Nov 15 '16 at 15:58







      @Raptor You have to install mod_headers with sudo a2enmod headers

      – Ortomala Lokni
      Nov 15 '16 at 15:58






      1




      1





      Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

      – Maris B.
      Jul 11 '18 at 8:28





      Header unset Server does not work in Apache 2.2 and 2.4. Response headers still contains Server: Apache

      – Maris B.
      Jul 11 '18 at 8:28











      12














      Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



      grep -Ri servertokens /etc/apache2


      This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



      I simply changed the directives in security.conf and Apache started working as I wanted.



      ServerTokens Prod
      ServerSignature Off


      On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



      I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






      share|improve this answer




























        12














        Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



        grep -Ri servertokens /etc/apache2


        This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



        I simply changed the directives in security.conf and Apache started working as I wanted.



        ServerTokens Prod
        ServerSignature Off


        On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



        I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






        share|improve this answer


























          12












          12








          12







          Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



          grep -Ri servertokens /etc/apache2


          This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



          I simply changed the directives in security.conf and Apache started working as I wanted.



          ServerTokens Prod
          ServerSignature Off


          On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



          I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.






          share|improve this answer













          Just updating this for people who are still looking. I was having trouble getting the Server line in the HTTP header changed. This advice should work for Debian branch distros with systemd and Apache 2.4.7. Specifically, I am using Ubuntu Server LTS 14.04.03. Some advice I found was to do



          grep -Ri servertokens /etc/apache2


          This led me to /etc/apache2/conf-available/security.conf where both ServerTokens and ServerSignature were specified. Therefore, any changes I was making to /etc/apache2/apache2.conf were being overwritten by the directives already specified in security.conf.



          I simply changed the directives in security.conf and Apache started working as I wanted.



          ServerTokens Prod
          ServerSignature Off


          On the topic of Header unset Server, I found a bug report where the Apache devs said it is a won't fix issue. Apparently for them it is a philosophical issue, despite that the specification for HTTP/1.1, RFC 2616 authored in part by Tim Berners-Lee, saying that the Server tag is optional.



          I really wanted to set the Server tag to "Unknown" to make our Qualys scans happy. So, I installed mod_security, now called libapache2-modsecurity, following this DigitalOcean tutorial. Best of luck, I hope I helped for all you future readers.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Oct 27 '15 at 15:18









          slmaqslmaq

          12112




          12112























              1














              I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



              Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




              ServerTokens none




              The response header would look like this:




              HTTP/1.1 200 OK



              Date: Mon, 28 Dec 2015 07:02:45 GMT



              Server:



              Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



              .



              .







              share|improve this answer



















              • 2





                On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

                – jph
                Apr 19 '16 at 16:36
















              1














              I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



              Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




              ServerTokens none




              The response header would look like this:




              HTTP/1.1 200 OK



              Date: Mon, 28 Dec 2015 07:02:45 GMT



              Server:



              Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



              .



              .







              share|improve this answer



















              • 2





                On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

                – jph
                Apr 19 '16 at 16:36














              1












              1








              1







              I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



              Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




              ServerTokens none




              The response header would look like this:




              HTTP/1.1 200 OK



              Date: Mon, 28 Dec 2015 07:02:45 GMT



              Server:



              Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



              .



              .







              share|improve this answer













              I've tested something on Oracle HTTP Server 11.1.1.9 (which is built on Apache 2.2.22) that worked for me, to some extent..



              Setting the "ServerTokens" to "none" seems to remove the "Server" header value, although the header itself keeps being sent in the response, but now it has a null value.




              ServerTokens none




              The response header would look like this:




              HTTP/1.1 200 OK



              Date: Mon, 28 Dec 2015 07:02:45 GMT



              Server:



              Last-Modified: Sun, 27 Dec 2015 07:29:13 GMT



              .



              .








              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Dec 28 '15 at 7:46









              Mohab ElsayedMohab Elsayed

              111




              111








              • 2





                On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

                – jph
                Apr 19 '16 at 16:36














              • 2





                On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

                – jph
                Apr 19 '16 at 16:36








              2




              2





              On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

              – jph
              Apr 19 '16 at 16:36





              On Apache 2.2 stock, from Centos 6 repos, setting a value of "none" causes Apache to output all data. For instance: "Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Phusion_Passenger/4.0.59 mod_perl/2.0.4 Perl/v5.10.1"

              – jph
              Apr 19 '16 at 16:36











              0














              ServerTokens none shows error in the application





              share








              New contributor




              Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.

























                0














                ServerTokens none shows error in the application





                share








                New contributor




                Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.























                  0












                  0








                  0







                  ServerTokens none shows error in the application





                  share








                  New contributor




                  Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.










                  ServerTokens none shows error in the application






                  share








                  New contributor




                  Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.








                  share


                  share






                  New contributor




                  Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 9 mins ago









                  HoptozerzHoptozerz

                  1




                  1




                  New contributor




                  Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  Hoptozerz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f124137%2fchange-apache-httpd-server-http-header%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      CARDNET

                      Boot-repair Failure: Unable to locate package grub-common:i386

                      Aws NAT - Aws IGW- Aws router