8.1 Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'

Information

Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed.

Rationale:

Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released.

Solution

Perform the following to implement the recommended state:
Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly:

ServerTokens Prod

Default Value:

The default value is Full which provides the most detailed information.

See Also

https://workbench.cisecurity.org/files/4548