Masking Your Web Server's Identity


If you’ve never taken a look at the HTTP response headers your web server is sending out, you might be a little surprised at what you find; by default both Apache and IIS give out more information than most people would think.

Here is an example of the default apache header:

Server=Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.7a

Now that may be fine internally but I don’t know if I’m comfortable announcing that information to everyone who stumbles across my web server on the Internet. By adding a couple directives to the Apache config file:

ServerTokens ProductOnly
ServerSignature Off

…then restarting Apache, you get the following now:


OK, that’s a bit better but if we really want to mask our identity we’ll have to change more than headers. Revealing information leaks out on numerous levels; protection at the application layer is a great start but don’t forget about the lower TCP/IP protocol layer. Ensuring your firewall is blocking the appropriate ports is a critical but it won’t ensure that a hacker won’t be able to determine your OS by your TCP/IP fingerprint. For more information, check out Port 80 Software’s Server Mask.

Related Articles

Designing for Digital and Print

Having consistent messaging, look, and feel is essential to providing a seamless experience for users. Translating that across digital and print can be a challenge. ...

Rob McFarlane
By Rob McFarlane
Oct 29th, 2018

All The Tests: PINT’s Overview of Web Testing

To help you get started with testing, we’ve compiled some of the basics: Types of Tests you’ll want to consider and the concept of The Testing Pyramid. ...

Preston Resenbeck
By Preston Resenbeck
Sep 18th, 2018

Tell us about your project

Please fill out your information and submit