Masking Your Web Server's Identity

If you’ve never taken a look at the HTTP response headers your web server is sending out, you might be a little surprised at what you find; by default both Apache and IIS give out more information than most people would think.

Here is an example of the default apache header:

Server=Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.7a

Now that may be fine internally but I don’t know if I’m comfortable announcing that information to everyone who stumbles across my web server on the Internet. By adding a couple directives to the Apache config file:

ServerTokens ProductOnly
ServerSignature Off

…then restarting Apache, you get the following now:


OK, that’s a bit better but if we really want to mask our identity we’ll have to change more than headers. Revealing information leaks out on numerous levels; protection at the application layer is a great start but don’t forget about the lower TCP/IP protocol layer. Ensuring your firewall is blocking the appropriate ports is a critical but it won’t ensure that a hacker won’t be able to determine your OS by your TCP/IP fingerprint. For more information, check out Port 80 Software’s Server Mask.

Related Articles

Your Tags are Slowing You Down

Tags are an important way to track analytics on your site, but they may be increasing your load time. ...

Jun 28th / By Nate Weintraub

The Benefits of Installing SSL

Installing an SSL Certificate on your website provides a myriad of benefits including keeping modern browsers from telling your users your site is insecure. ...

Jun 22nd / By Julian Dutton

Tell us about your project

Please fill out your information and submit