Apache server tokens

Hi,

Apache token is one of the options for securing your web server. Let me explain you the options here.
Apache token is generally found in apache main configuration file httpd.conf if it is not present never mind, you can simply add it “eg:ServerTokens Prod”

Syntax for ServerTokens is

ServerTokens Major|Minor|Min|Prod|OS|Full

The five options will differ from each other. I will explain them one by one.

ServerTokens Full
=============
When the above option is set, the server will send the full information to the remote host.
Information sent will be

Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

which is a big security hole and it is not recommended, because hackers can look for the security holes in Apache 2.0.41, PHP4.2.2 and unix operating systems and can easily hack the server.

ServerTokens OS

============
When the above option is set, the server will send the Web server version and the operating system version.
Information sent will be

Server: Apache/2.0.41 (Unix)

This is also an security issue as the remote user will try to hack the server with security holes in the webserver version and operating system.

ServerTokens Min
============
When the above option is set, the server will send the Web server’s full version number like Apache2.0.41
Information sent will be

Server: Apache/2.0.41

This is also an security issue as the remote user will try to hack the server with security holes in Apache2.0.41 versions.

ServerTokens Minor
==============
When the above option is set, the server will send the Web server’s minor version number like Apache version2.0
Information sent will be

 Server: Apache/2.0

This is also an security issue as the remote user will try to hack the server with security holes in Apache 2.0 versions.

ServerTokens Major
==============
When the above option is set, the server will send the Web server’s minor version number like Apache version2
Information sent will be
Server: Apache/2
This is also an security issue as the remote user will try to hack the server with security holes in Apache 2 version.

ServerTokens Prod
=============
When the above option is set, the server will send the Web server’s name alone, which is recommended as the hacker will not have a clue of which version of Apache is running in the server and also which operating system is used.
Information sent will be

Server: Apache

I would recommend to use this option to avoid unwanted exploitation of your server information.

Reference: http://www.debianhelp.co.uk

7 comments

  1. Hairstyles says:

    There are some interesting closing dates in this article but I don? know if I see all of them heart to heart. There may be some validity however I’ll take hold opinion till I look into it further. Good article , thanks and we want extra! Added to FeedBurner as nicely

  2. Crave Freebies says:

    This is the proper blog for anyone who needs to search out out about this topic. You realize a lot its almost arduous to argue with you (not that I truly would want?aHa). You positively put a new spin on a topic thats been written about for years. Nice stuff, just nice!

  3. Free Stuff says:

    What? Going down i am new to this, I stumbled upon this I have found It absolutely useful and it has helped me out loads. I am hoping to contribute & aid other users like its aided me. Good job.

Leave a Reply

Protected by WP Anti Spam