Apache Friends Support Forum


https://community.apachefriends.org/f/

Suppressing software version numbers?

https://community.apachefriends.org/f/viewtopic.php?f=16&t=30132

Page 1 of 1

Suppressing software version numbers?

PostPosted: 29. June 2008 04:02
by Boogerhead
Kind folks,

When I have a directory listing, Apache spits out every version number, e.g.:
Apache/2.2.8 (Win32) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8g mod_autoindex_color PHP/5.2.5 Server at blahblahblah port blah

I'm really not a big fan of advertising security holes that I don't even know about -- why should I give extra information to someone who could find a security hole in my software? So I'd really, really like to disable this (and suggest that it be off by default in future versions of XAMPP, as it offers no useful information to users and potentially dangerous information to hackers).

I found suggestions for a CentOS install of Apache that suggested these be put in httpd.conf:
ServerSignature Off
ServerTokens ProductOnly

I did that, restarted the service, and still have the same problem, still have that big string of version numbers coming at me. I don't see directives anywhere else (e.g., within fancyindexing) that can suppress this.

Ideas? Suggestions?


Mike

PostPosted: 29. June 2008 04:54
by x-files
Mine says:
ServerSignature Off
ServerTokens Prod
and info is no longer sent. 8)

PostPosted: 29. June 2008 05:52
by Milligan

Re: Suppressing software version numbers?

PostPosted: 29. June 2008 13:12
by Nobbie
Boogerhead wrote:(and suggest that it be off by default in future versions of XAMPP, as it offers no useful information to users and potentially dangerous information to hackers).


Of course not, as Xampp is supposed to be used for local development and not for use on webservers.

If you wish to install Xampp on a public webserver anyway, it's on you to protect your server properly.

PostPosted: 30. June 2008 05:38
by Boogerhead
Milligan wrote:Try changing the defaults in \xampp\apache\conf\extra\httpd-default.conf


That did it! I'm much obliged.

Nobbie wrote:Of course not, as Xampp is supposed to be used for local development and not for use on webservers.


Again, I'm a bit confused, as a local developer surely knows which versions of the software are installed, or knows how to find out; there's no useful information given to the developer; no useful information given to any additional users; and potentially dangerous information given to people with ill will. Regardless of the intended userbase of XAMPP, it's difficult for me to imagine why creating security problems without a corresponding benefit to any possible audience, when it's so easily fixed, is a good idea. I may be missing something really big here, but I simply don't see the harm in reducing the information and see some potential benefit.
All times are UTC + 1 hour
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/