aknosis.com

webdev && sysadmin quips, tips, articles + more

Hiding Unnecessary Response Headers Apache/PHP

| Comments

One way to help protect your website/server is to not tell everyone what platform and app versions everything is running on. If you were to request a php file from my site you see some response headers that could be useful to people looking to break in, cause havoc etc…

Here is my request to aknosis.com (I’m viewing all of this in Firebug, if you don’t have it get it, best web development tool in my arsenal)

Date Wed, 14 Oct 2009 05:59:59 GMT
Server Apache/2.2.3 (CentOS) PHP/5.2.9 mod_ssl/2.2.3 OpenSSL/0.9.8b
X-Powered-By PHP/5.2.9
X-Pingback http://www.aknosis.com/akwp/xmlrpc.php
Expires Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified Wed, 14 Oct 2009 06:00:00 GMT
Cache-Control no-cache, must-revalidate, max-age=0
Pragma no-cache
Vary Accept-Encoding,User-Agent
Content-Encoding gzip
Content-Length 10636
Keep-Alive timeout=2, max=100
Connection Keep-Alive
Content-Type text/html; charset=UTF-8

So if I was running a known insecure version of php, apache, or any other out of date software exposed in the response headers, an attacker has to look no further to determine what you are using and how best to attack you.

Apache

First place to look is your httpd.conf, these are settings you want:

ServerTokens Directive

ServerTokens Prod

Tells Apache to just output the product only, version information as well as modules are hidden. After changing this directive the Server response header is:

Server: Apache

ServerSignature Directive

ServerSignature Off

Any pages generated by Apache contain a small signature at the bottom with server information, setting this to off will suppress that additional info that no one needs.

PHP

Now to get rid of that pesky X-Powered-By header added by php, this is done in your php.ini file.

; Misc
;
; Decides whether PHP may expose the fact that it is installed
; on the server (e.g. by adding its signature to the Web
; server header). It is no security threat in any way, but it
; makes it possible to determine whether you use PHP on your
; server or not.
expose_php = On

I think telling everyone what language you are using and the version is just a bad idea, yes you can figure this out by other methods (like what software is running… Wordpress anyone? heh) but I see no good reason to leave this on. What’s worse is that it is ON by default (at least in my CentOS RPM). So turn that bad boy off.

expose_php = Off

Don’t forget to reboot! (Let be nice to any current surfers a la service httpd graceful)

Now a response from aknosis.com is much cleaner and ‘safer’:

Date Wed, 14 Oct 2009 06:04:21 GMT
Server Apache
X-Pingback http://www.aknosis.com/akwp/xmlrpc.php
Expires Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified Wed, 14 Oct 2009 06:04:21 GMT
Cache-Control no-cache, must-revalidate, max-age=0
Pragma no-cache
Vary Accept-Encoding,User-Agent
Content-Encoding gzip
Content-Length 10636
Keep-Alive timeout=2, max=100
Connection Keep-Alive
Content-Type text/html; charset=UTF-8
service httpd graceful

So there you have it, two simple file edits and a server reboot and you are one step ahead in the battle for a secure web environment.

Don’t have access to httpd.conf? You can’t change the ServerTokens value in .htaccess but you can change the ServerSignature in .htaccess. Don’t have access to php.ini? This is only settable inside php.ini :(

However, I do think it is perfectly valid to submit a request to change these if you are using a paid webhost, so go right ahead and do so!

Comments