ServerTokens is an APAACHE directive that determines whether the used version of APACHE should be mentioned in the HTTPrespond. It is highly recommended to disclose as much information as possible about your web server. Exposing APACHE version is not a security risk by itself and will not stop a determined hacker but it will protect you if an attacker is running an automated scan to discover potential sites running a particular version. This scenario is possible if for example a new vulnerability is discovered and the attacker needs to quickly locate as many vulnerable systems as possible.
Setting ServerTokens
The below snippet is taken from the Apache website and will explain the different options:
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
0 评论:
发表评论