Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it good practice to hide web server information in HTTP headers?

This question is more security related than programming related, sorry if it shouldn't be here.

I'm currently developing a web application and I'm curious as to why most websites don't mind displaying their exact server configuration in HTTP headers, like versions of Apache and PHP, with complete "mod_perl, mod_python, ..." listing and so on.

From a security point of view, I'd prefer that it would be impossible to find out if I'm running PHP on Apache, ASP.NET on IIS or even Rails on Lighttpd.

Obviously "obscurity is not security" but should I be worried at all that visitors know what version of Apache and PHP my server is running ? Is it good practice or totally unnecessary to hide this information ?

like image 851
Franck Avatar asked Dec 04 '08 01:12

Franck


People also ask

Should you hide server header?

Vendors such as Apache, Microsoft, and PHP all use these headers to evaluate their market share in the server hosting market. You should absolutely suppress these headers. One may argue that hiding these headers is security through obscurity.

Are HTTP headers safe?

HTTP security headers are a fundamental part of website security. Upon implementation, they protect you against the types of attacks that your site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.

Are HTTP headers important?

There's information there you may not be properly reviewing. Implementing important SEO items in the response header is more common than you may think, and most of the major SEO tools don't check them. HTTP headers are so critical to the SEO efforts that we built a tool to use internally called Head Exam.

Can an attacker retrieve the web servers exact software version from the HTTP headers?

Because these headers can leak software information, this allows an attacker to know what exact web technologies are in place and what their associated version(s) are. Armed with this information, they can then hunt for public known exploits on those versions.


2 Answers

Prevailing wisdom is to remove the server ID and the version; better yet, change them to another legitimate server ID and version - that way the attacker goes off trying IIS vulnerabilities against Apache or something like that. Might as well mislead the attacker.

But honestly, there are so many other clues to go by, I wonder about whether this is worth it. I suppose it could stop attackers using a search engine to find servers with known vulnerabilities.

(Personally, I don't bother on my HTTP server, but it's written in Java and much less vulnerable to the typical kinds of attack.)

like image 180
Lawrence Dol Avatar answered Sep 22 '22 00:09

Lawrence Dol


I think you usually see those headers because the systems send them by default.

I routinely remove them as they provide no real value and could, as you suggested reveal information about the server.

like image 26
Michael Haren Avatar answered Sep 20 '22 00:09

Michael Haren