2.4 Ensure the Status Module Is Disabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The Apache mod_status module provides current server performance statistics.


When mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess). The mod_status module may provide an adversary with information that can be used to refine exploits that depend on measuring server load.


Perform either one of the following to disable the mod_status module:

For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options.

$ ./configure --disable-status

For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file.

##LoadModule status_module modules/mod_status.so

Default Value:

The mod_status module IS enabled with a default source build.

See Also