Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Necessary to set ServerSignature and ServerTokens apache config options with Rails apps?

I came across something in one of my rails books that said I should set

ServerSignature Off
ServerTokens Prod 

to disable apache from showing server information in production when the app screws up. Is this necessary? The only error message I see in prod is the standard Rails production error message. I never see any server information.

Are there any other security related apache config variables I need to set?

like image 781
Tony Avatar asked Jan 23 '23 10:01

Tony


1 Answers

It is not necessary, but it is recommended. By showing the server signature and the full server tokens you are giving potential hackers an easier way to identify how to hack your system. For example, with ServerSignature on and a full ServerToken, a hacker will know exactly what OS (including version) and server technology you are running.

Example. With ServerToken set to full you might get:

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server

With it set to prod you will only get

Apache

This article on slicehost gives a good overview of how to approach serverSignature and serverTokens

like image 120
ae. Avatar answered Jan 26 '23 07:01

ae.