Masking Your Web Server's Identity


If you’ve never taken a look at the HTTP response headers your web server is sending out, you might be a little surprised at what you find; by default both Apache and IIS give out more information than most people would think.

Here is an example of the default apache header:

Server=Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.7a

Now that may be fine internally but I don’t know if I’m comfortable announcing that information to everyone who stumbles across my web server on the Internet. By adding a couple directives to the Apache config file:

ServerTokens ProductOnly
ServerSignature Off

…then restarting Apache, you get the following now:


OK, that’s a bit better but if we really want to mask our identity we’ll have to change more than headers. Revealing information leaks out on numerous levels; protection at the application layer is a great start but don’t forget about the lower TCP/IP protocol layer. Ensuring your firewall is blocking the appropriate ports is a critical but it won’t ensure that a hacker won’t be able to determine your OS by your TCP/IP fingerprint. For more information, check out Port 80 Software’s Server Mask.

Related Articles

Static Site vs CMS Site

Wondering if your site should be CMS-based or static? Learn more about the benefits and drawbacks of these site structures. ...

Chris Coley
By Chris Coley
Mar 4th, 2019

Designing for Digital and Print

Having consistent messaging, look, and feel is essential to providing a seamless experience for users. Translating that across digital and print can be a challenge. ...

Rob McFarlane
By Rob McFarlane
Oct 29th, 2018

Tell us about your project