Is there any reason to keep the "Server" response header in Apache

Nic Cottrell asked:

My server responds with Server: Apache/2.2.15 (CentOS) to all requests. I guess that this gives away my server architecture making it easier to hack attempts.

Is this ever useful to a web browser? Should I keep it on?

My answer:


You can change the Server header if you want, but don’t count on this for security. Only keeping up to date will do that, since an attacker can just ignore your Server header and try every known exploit from the beginning of time.

RFC 2616 states, in part:

Server implementors are encouraged to make this field a configurable option.

And Apache did, with the ServerTokens directive. You can use this if you wish, but again, don’t think that it’s going to magically prevent you from getting attacked.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.