The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Remove Server Header

Discussion in 'Security' started by rfcabal, Jun 16, 2017.

  1. rfcabal

    rfcabal Registered

    Joined:
    Feb 17, 2015
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Santiago, Chile, Chile
    cPanel Access Level:
    Root Administrator
    Hi Guys

    I have a question, one of my clients is asking about remove innecessary header like "Server", I have tried to add

    <IfModule headers_module>
    Header unset Server
    </IfModule>

    on .htacccess and apache configuration->Include Editor, but it doesn't work, have you work in something similar?

    Thank you in advance!
     

    Attached Files:

  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    If this is for the purpose of PCI compliance, you can verify the following options are disabled via "WHM >> Service Configuration >> Apache Configuration >> Global Configuration":

    Trace Enable
    Server Signature
    Server Tokens (Product Only)
    File ETag

    Additionally, you can browse to "WHM >> Software >> MultiPHP INI Editor", switch to Editor Mode, search for the "expose_php" option, and set it to "No".

    Thank you.
     
  3. rfcabal

    rfcabal Registered

    Joined:
    Feb 17, 2015
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Santiago, Chile, Chile
    cPanel Access Level:
    Root Administrator
    Thank for yoou answer, I have disabled everything.

    Trace Off
    ServerSignature Off
    ServerToken ProductOnly
    File ETag Off

    Algo expose_php is off

    Is there a way to remove the Server Header?

    Thank you.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The "Product Only" setting will still show "Apache", and this is the least information you can provide in the header. You can find documentation on this at:

    core - Apache HTTP Server Version 2.4

    Note the following warning:

    I do see some discussion of using Mod_Security to strip "Apache" from the header on this URL:

    How to remove HTTP Server "Apache"?

    However, that's unsupported and I'm not sure of the specific Mod_Security rule you'd use to achieve that.

    Thank you.
     
    rfcabal likes this.
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    It does not look like you can remove it entirely without modifying the source code, and obviously I don't recommend this. See: Reduce or remove server headers

    I did some quick testing with ModSecurity. I wasn't able to drop the "Server:" response header, but I was able to set it with this directive:

    Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub

    The documentation above suggests you must set the Apache ServerTokens directive to Full. ModSecurity will then overwrite the server signature data held in this memory space with the data set in this directive. I was able to get it working with Product Only, but likely because I'm replacing with something very short (literally the string "null").

    Anyway, you should be able to set it to whatever you want. I know you want it gone, but perhaps just setting "null" or something would satisfy your needs. I used:

    SecServerSignature "null"

    In my custom conf. With a short string like that you can probably get away leaving ServerTokens as ProductOnly, but a longer replacement would need more memory space afforded by setting Full.
     
    #5 quizknows, Jun 20, 2017
    Last edited: Jun 20, 2017
  6. rfcabal

    rfcabal Registered

    Joined:
    Feb 17, 2015
    Messages:
    4
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Santiago, Chile, Chile
    cPanel Access Level:
    Root Administrator
    Thanks! this works pretty good!
     
    quizknows and cPanelMichael like this.
Loading...

Share This Page