Security - Apache ServerTokens

Description

An Apache production webserver should not give details in the 'Server:' header

Tags

  • SV-36672r1_rule

Solution

a2enconf security

Check Script: security-apache-server-tokens.sh

for dir in /etc/apache2 /usr/local/apache2/conf /usr/local/apache/conf; do
	if [ -d $dir ]; then
		if ! rgrep -q "ServerTokens[[:space:]][[:space:]]*Prod" $dir/*-enabled; then
			result_failed "ServerTokens is not set to 'Prod'"
		fi
	fi
done