I came across something in one of my rails books that said I should set
ServerSignature Off
ServerTokens Prod
to disable apache from showing server information in production when the app screws up. Is this necessary? The only error message I see in prod is the standard Rails production error message. I never see any server information.
Are there any other security related apache config variables I need to set?
It is not necessary, but it is recommended. By showing the server signature and the full server tokens you are giving potential hackers an easier way to identify how to hack your system. For example, with ServerSignature on and a full ServerToken, a hacker will know exactly what OS (including version) and server technology you are running.
Example. With ServerToken set to full you might get:
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server
With it set to prod you will only get
Apache
This article on slicehost gives a good overview of how to approach serverSignature and serverTokens