Obfuscating the server field of an HTTP response header

Question

I'm new to administering a server, and I'm wondering if there is any value in obfuscating the server field for HTTP response headers I'm sending out.

Would this prevent hackers from determining which webserver I'm using, and therefore make it more difficult to locate an exploitable crack in my security?

+1 for using the word obfuscating. – joeqwerty Sep 08 '11 at 00:31 — joeqwerty, Sep 08 '11 at 00:31
can i say: "security through obscurity...." – sybreon Sep 08 '11 at 07:58 — sybreon, Sep 08 '11 at 07:58

score 4 · Accepted Answer · answered Sep 07 '11 at 17:50

4

It'll fool some bots, but a human attacker isn't going to care that you're not advertising your server's minor version in headers. There is value in bot dodging, but it's pretty limited.

If you're looking to do this, make sure you aren't presenting full version information on error pages, either (the ServerSignature directive, for example, in Apache).

answered Sep 07 '11 at 17:50

Shane Madden

114,520
13
181
251

Thanks, it doesn't seem like it'll cause any harm so I think I'll implement what you're suggestion and ensure the error pages are server info free. – Anony372 Sep 07 '11 at 20:59

score 4 · Answer 2 · answered Sep 07 '11 at 17:52

4

No. They'll just either figure out the server using other quirky behavior or they'll try all exploits for all servers.

answered Sep 07 '11 at 17:52

David Schwartz

31,449
2
55
84

Obfuscating the server field of an HTTP response header

2 Answers2