Apache server tokens

Hi,

Apache token is one of the options for securing your web server. Let me explain you the options here.
Apache token is generally found in apache main configuration file httpd.conf if it is not present never mind, you can simply add it “eg:ServerTokens Prod”

Syntax for ServerTokens is

ServerTokens Major|Minor|Min|Prod|OS|Full

The five options will differ from each other. I will explain them one by one.

ServerTokens Full
=============
When the above option is set, the server will send the full information to the remote host.
Information sent will be

Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

which is a big security hole and it is not recommended, because hackers can look for the security holes in Apache 2.0.41, PHP4.2.2 and unix operating systems and can easily hack the server.

ServerTokens OS

============
When the above option is set, the server will send the Web server version and the operating system version.
Information sent will be

Server: Apache/2.0.41 (Unix)

This is also an security issue as the remote user will try to hack the server with security holes in the webserver version and operating system.

ServerTokens Min
============
When the above option is set, the server will send the Web server’s full version number like Apache2.0.41
Information sent will be

Server: Apache/2.0.41

This is also an security issue as the remote user will try to hack the server with security holes in Apache2.0.41 versions.

ServerTokens Minor
==============
When the above option is set, the server will send the Web server’s minor version number like Apache version2.0
Information sent will be

 Server: Apache/2.0

This is also an security issue as the remote user will try to hack the server with security holes in Apache 2.0 versions.

ServerTokens Major
==============
When the above option is set, the server will send the Web server’s minor version number like Apache version2
Information sent will be
Server: Apache/2
This is also an security issue as the remote user will try to hack the server with security holes in Apache 2 version.

ServerTokens Prod
=============
When the above option is set, the server will send the Web server’s name alone, which is recommended as the hacker will not have a clue of which version of Apache is running in the server and also which operating system is used.
Information sent will be

Server: Apache

I would recommend to use this option to avoid unwanted exploitation of your server information.

Reference: http://www.debianhelp.co.uk

Leave a Reply

Protected by WP Anti Spam