Remove version info in PHP/Apache2

cloudsidedev / appside

Multitenant environment automation.

http://cloudside.ch

GNU Affero General Public License v3.0

38 stars 7 forks source link

Remove version info in PHP/Apache2 #28

Closed ivomarino closed 7 years ago

ivomarino commented 7 years ago

We don't want to show, per default, Apache version, PHP version and OS Version, this implies:

[x] expose_php = Off
[x] ServerTokens Prod
[x] ServerSignature Off

ivomarino commented 7 years ago

% curl -I http://localhost

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Dec 2016 17:22:44 GMT
X-Varnish: 1583101892
Age: 0
Via: 1.1 varnish

Server: Apache is still there, to remove it we must install mod_security like written here https://unix.stackexchange.com/questions/124137/change-apache-httpd-server-http-header but this would have other impacts which must be evaluated.

swissspidy commented 7 years ago

With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage."

But yeah, the current setting is enough for now.

@ivomarino need to re-provision?