Apache/httpd 'Header set Server' is ignored/overridden

Question

I am using this in a VirtualHost

<IfModule headers_module>
    Header set ProcessingTime "%D"
    Header set Server "Apache 2.4"
</IfModule>

I can see that the ProcessingTime is set happily, but Server is set by some default, which tells too much about software versions of the server.

What am I doing wrong and can I figure, where the header Server is finally set?

I have tried:

sudo grep -Rin "Header" /etc/httpd/conf.d/ -> no result for Header set Server
sudo grep -Rin "servertokens" /etc/httpd/conf.d/ -> absolutely no result

Apache version: Apache/2.4.53 (codeit) on CentOS.

score 2 · Accepted Answer · answered Aug 09 '23 at 16:27

Use the ServerTokens Directive in the server config context, instead.

ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache

ServerTokens Major
Server sends (e.g.): Server: Apache/2

ServerTokens Minor
Server sends (e.g.): Server: Apache/2.4

ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.4.2

ServerTokens OS
Server sends (e.g.): Server: Apache/2.4.2 (Unix)

score 1 · Answer 2 · answered Aug 09 '23 at 16:26

1

Usually people want to hide the Server header because some auditor told them to or their vulnerability scanner doesn't understand backporting.

Have a look for ServerTokens in your config and the manual.

answered Aug 09 '23 at 16:26

symcbean

21,009
1
31
52

Apache/httpd 'Header set Server' is ignored/overridden

2 Answers2