The Server Signature plays a key role in the functioning of web servers. It serves as an identification tag that web servers present to web browsers when we request a web page. You can think of it as a virtual business card that the server displays to the outside world.
Contents
What is the Server Signature directive?
As previously explained, the Server Signature can be considered an ID tag or a virtual business card used by web servers. When a web browser requests a page from a web server, the web server can send this data along with the required information.
Contained within this Server Signature is critical information, including the type of software the server is running, its version, and sometimes even details about the server’s operating system. This information is valuable for website administrators, allowing them to keep tabs on their servers and ensure they’re up to date.
However, revealing too much information through this can pose a security risk. Bad guys can exploit this data to identify specific vulnerabilities in the server software, making it a potential target for attacks. As a result, web server administrators must configure the server signature settings carefully, disclosing as little detail as possible.
The Apache Server Signature
The Apache server signature is a functionality that enables Apache web servers to include extra details in the HTTP responses they send to browsers and clients. These details typically encompass the name and version of the Apache server, along with information about the operating system it’s running on.
The official Apache docs mention that “The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, …).”
While this feature can be beneficial for system administrators and web developers by providing a quick look into the server environment, it also presents a security concern. Bad guys can use this information to find specific vulnerabilities in the server’s version and launch nasty attacks. Therefore, it’s advisable to either deactivate or alter the Apache server signature to minimize the risk of exposing sensitive information.
Thanks to the Server Signature feature, websites like W3Techs have been able to gather data related to the usage statistics of web servers. This data indicates that Nginx is the most popular web server, holding a 34.1% market share, followed by Apache with 30.4%.
Server Signature and Server Tokens
People often confuse Server Signature and Server Tokens. While both terms refer to certain information that a web server can reveal about itself, they have distinct characteristics.
Server Signature refers to a line of text frequently visible in server responses, disclosing details regarding the server’s software and its precise version, such as “Apache/2.4.41 (Unix).” It can be valuable for server administrators but also poses a security risk if exposed to unauthorized users, potentially providing clues to potential attackers about specific server vulnerabilities.
On the other hand, Server Tokens are a configuration option that allows the web server to manage the extent of information it shares about itself in HTTP responses. By adjusting the Server Tokens configuration, it’s possible to conceal or minimize the information presented, thus increasing server security by reducing the volume of details accessible to potential threats.
In other words, Server Signature concerns the specific server information visible in responses, while Server Tokens represent a configuration that governs the extent of information disclosed.
Server Signature as a security risk
As we have said, Server Signature is a feature that enables web servers to disclose details about themselves, including their software type and version. While this can be handy for server admins and web developers in the development phase, it can also pose a notable security threat when visible on an active website.
When the Server Signature information is exposed, potential attackers can exploit it to identify specific software vulnerabilities in the server and potentially launch more successful attacks. If a server uses outdated or flawed software, it becomes more susceptible to being exploited.
To mitigate this risk, it’s advisable to either disable or modify the Server Signature settings in the web server’s configuration, reducing information exposure. This practice enhances website security by making it harder for attackers to target known vulnerabilities. Additionally, keeping the server software and its components up to date is vital for safeguarding against known security flaws.
So, the answer is yes, keeping it enabled in a live environment is a security risk. It should be used only during the development phase, and never on live websites.
Disabling Server Signature to increase security
Disabling the server signature is a key measure for enhancing security in a web server. As already stated, when a web server exposes its signature, it discloses information about the software and its version, making it easier for bad guys to identify specific vulnerabilities in that software.
By disabling it, the level of risk exposure is reduced, effectively hiding these critical details. Additionally, the Server Signature might leak internal information that could be exploited in more sophisticated attacks. Removing this information not only reduces the attack opportunities but also reduces the ability to launch targeted attacks against a server.
How do I disable Server Signature?
Disabling the Server Signature is a must if you want to keep your servers safe and secure, so let’s see how to disable this feature in some popular web servers like Apache and Nginx.
Setting up the Server Signature in Apache
Let’s see how to hide the Server Signature in Apache. Begin by accessing the server where Apache is installed, either through SSH or another remote access method.
Locate and open the main Apache configuration file, typically named httpd.conf, using a text editor such as nano or vim. For instance:
nano /etc/httpd/conf/httpd.conf
Utilize the search feature (usually via Ctrl+W in nano or / in vim) to identify the line including the ServerSignature directive, which usually appears like this:
ServerSignature On
To hide it, simply change the setting from On to Off, like this:
ServerSignature Off
Also make sure to change ServerTokens to “Prod”.
Save the changes made to the configuration file and then close it.
To apply the changes, restart the Apache server with the following command:
systemctl restart apache2
Hiding the Server Signature in Nginx
Let’s see how to hide the Server Signature in Nginx. First off, log into your server with either root privileges or a user account that has the authority to modify Nginx’s configuration.
Use a text editor such as nano or vim to open the Nginx configuration file, tipically found as /etc/nginx/nginx.conf:
nano /etc/nginx/nginx.conf
Within the configuration file, locate the server_tokens directive. In Nginx, this directive dictates if information about the server signature is displayed in HTTP responses. Usually, server_tokens comes enabled by default:
server_tokens on;
To hide it, change the setting to off, as shown below:
server_tokens off;
Save and close the file, and test your Nginx config:
nginx -t
If the test is successful, proceed to restart Nginx:
systemctl restart nginx
Disabling the Server Signature on IIS
IIS may expose its version via HTTP headers. To remove them, start by opening the IIS Manager and selecting your site or the server node (if you want to apply this setting globally).
Click on HTTP Response Headers, and look for headers like ‘X-Powered-By’ and ‘Server’. If they exist, simply select the header and click Remove.
Now open the applicationHost.config file or your site-specific web.config file, and add the following snippet to the <system.webServer> section to remove the Server Signature headers on IIS:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
Finally, restart IIS to apply your changes.
Testing if Server Signature is disabled
The easiest way to test if Server Signature is disabled is by using our security scanner:
- Access our webserver security test.
- Type your domain in the scan box.
- Click the two boxes below, named ‘Clear cache’ and ‘Follow redirects’.
- Now click the Scan button.
- Scroll down and look for the section named ‘HTTP Security Headers’, and check your ‘Server Signature’ test results: a ‘Passed’ in green is what you’re aiming for, but if you get a ‘Failed’ in red it means that you need to update your settings.
Another option is to use the Curl tool. Open a Terminal (or similar tool) in your computer and run the following:
curl -I https://mydomain.com
Replace mydomain.com with your real domain.
The output will include the server header, which should be empty or return only the web server name but no specifics, like in the image example below:
Server Signature FAQ
Let’s review some common questions related to Server Signature that weren’t covered in the article.
Why is Server Signature important?
It can provide useful information for troubleshooting and debugging web server issues. However, it can also pose security risks by revealing server software vulnerabilities to potential attackers.
Should I disable Server Signature for security?
Yes, disabling it is a common security practice to prevent bad guys from easily identifying server software and versions. This process varies depending on the web server software being used.
Is there any impact on website performance by disabling Server Signature?
Disabling this feature usually has minimal to no impact on website performance. But, it can improve security by reducing the amount of information available to malicious third parties.
In certain industries or regulatory frameworks, there may be requirements regarding the disclosure of server information. However, for security purposes, it is better to limit the amount of information revealed through it, and the absolute best option is to disable it.
Summary
Server Signature is a key component of web servers: let’s say it’s a virtual business card that is presented to web browsers upon request. It contains essential information about the server, including its software type, version, and sometimes details about the operating system, offering valuable data for administrators.
However, overexposing this information can be a security risk, as bad guys can use it to identify vulnerabilities. Thus, server admins should configure these settings with caution, revealing as little detail as possible. Disabling the Server Signature is an important security measure, as it conceals software and version information, reducing the potential for exploiting vulnerabilities.