A Day in the Life of #Apache
Subject:   Headers
Date:   2004-09-27 20:33:42
From:   stewart_vardaman
I jotted this down as a note to myself a while back:

Apache lets you remove extra http banners that advertise your web server software versions. I like turning these off, which you can do if you have access to your httpd.conf file (sorry, this can only be changed globally in Apache). These banners are handy for outfits like NetCraft that measure market share, etc., but are not necessary.

By default, Apache's ServerTokens is set to "Full", which makes my site's "Server:" http header look like:

Apache/1.3.27 (Unix) DAV/1.0.3 mod_gzip/ mod_ssl/2.8.10 OpenSSL/0.9.6c PHP/4.3.4

In the configuration file, add:

ServerTokens ProductOnly

And the header is reduced to:


Some people prefer to do this to hide software versions from script kiddies. It doesn't really make your site more secure, but there's another benefit. The headers get sent with every request, and the full header is 89 bytes. One site I'm familiar with has 28 objects on the home page, so 89 bytes * 28 = 2,492 bytes. Seems kind of silly to send an 89-byte header for a 43-byte spacer gif. With ProductOnly, the banner is just 6 bytes (or 168 bytes total for the 28 object page).

Additionally, you can remove the "Apache" string, but I don't recommend doing so because it involves a source code change.

PHP also adds headers, in my case:

X-Powered-By: PHP/4.3.4

This can be turned off completely by adding:

expose_php = Off

to your php.ini file.