0

I'm trying to unset the "Server" field in response headers. I do this using Header unset Server, and that works fine for requests handled by mod_perl. However, for requests to /static I use Apache to serve static files. For some reason, when these files are loaded directly in the browser, the Server field is not removed. How can I go about fixing this?

Relevent parts of my httpd.conf:

LoadModule headers_module modules/mod_headers.so
Header unset Server

<VirtualHost *:80>

    <Location />
        SetHandler modperl
        PerlResponseHandler MyHandler
    </Location>

    Alias /static/ /home/site/static/

    <Location /static>
        SetHandler None
    </Location>
</VirtualHost>
Sam Lee
  • 3
  • 2

1 Answers1

0

Turning the server token off in the header does not appear to be an option for static content. You can reduce then disclosure to apache using the ServerTokens option. You can minimize disclosure by adding the following lines to your configuration. Reload the configuration after making the change. 

ServerSignature Off
ServerTokens Prod
BillThor
  • 27,737
  • 3
  • 37
  • 69