1. Home
  2. Docs
  3. Warnings
  4. Hardening
  5. Disable Server Banners

Disable Server Banners

Most web servers display its version and modules in use by default. Best security practices recommend that you
disable this option, since it can be misused against your site.

The NIST Guide for Securing Web Servers also recommends it.

This is an example of server banner on Apache with it enabled:

Apache/2.2.22 (Unix)
  mod_ssl/2.2.22
  OpenSSL/0.9.8e-fips-rhel5
  mod_auth_passthrough/2.1
  mod_bwlimited/1.4
  FrontPage/5.0.2.2635
  mod_perl/2.0.5 Perl/v5.8.8

As you can see, it leaks not only the Apache version (in this case outdated), but also the modules being used and their versions. The same applies to NGINX and IIS.

Disabling on Apache

To disable server banners on Apache, you will need to edit your httpd.conf and add:

ServerSignature Off
ServerTokens Prod

If you are on shared servers, you will need to contact your hosting to do this change for you.

Sucuri Customers

Note that all WAF users are already protected against it.

If you have any questions, please contact our research team at research@sucuri.net.

Was this article helpful to you?