8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'


Configure the Apache 'ServerTokens' directive to provide minimal information by setting the value to 'Prod' or 'ProductOnly'. The only version information given in the server HTTP response header will be 'Apache' rather than details on modules and versions installed.


Information is power, and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically. Script kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released.


Perform the following to implement the recommended state:

Add or modify the 'ServerTokens' directive as shown below to have the value of 'Prod' or 'ProductOnly':

ServerTokens Prod

See Also


Item Details


References: 800-53|AC-3, CSCv6|18.9, CSCv7|14.7

Plugin: Unix

Control ID: dc09a601a57df21e74caa6cd58f9edbee34a0e5782be365217a2c608edad1f9a