Apache Obfuscation by disabling trace and server tokens
Apache Obfuscation can be achieved very easily and the benefits are great – it doesn’t disclose server information such as versions, OS, and does output verbose errors when ‘bad things happen’, and they happen.
Edit apache configuration, usually available here for RedHat based distributions:
Make sure the following settings are present, save, and restart apache:
How do we test that this is actually working?
How to TraceEnable:
1. curl -v -X TRACE http://…
2. Confirm you get a forbidden response
How test ServerTokens:
1. Make a request to the website and check the response headers
2. Confirm the response contains only “Apache” information in the Server header
How to test ServerSignature:
1. Make a request to the website for a URL that should respond with Apache server error
2. Confirm you don’t see information about the apache server software version, OS, etc.