Is it good practice to hide web server information in HTTP headers ?

Question

This question is more security related than programming related, sorry if it shouldn't be here.

I'm currently developing a web application and I'm curious as to why most websites don't mind displaying their exact server configuration in HTTP headers, like versions of Apache and PHP, with complete "mod_perl, mod_python, ..." listing and so on.

From a security point of view, I'd prefer that it would be impossible to find out if I'm running PHP on Apache, ASP.NET on IIS or even Rails on Lighttpd.

Obviously "obscurity is not security" but should I be worried at all that visitors know what version of Apache and PHP my server is running ? Is it good practice or totally unnecessary to hide this information ?

Answer 1

I think you usually see those headers because the systems send them by default.

I routinely remove them as they provide no real value and could, as you suggested reveal information about the server.

Answer 2

Running nmap -O -sV against an IP will give you the OS and service versions with a fairly high degree of accuracy. The only extra info you're giving away by having your server advertise that information is which modules you have loaded.

Answer 3

Hiding the information in the headers usually just slows down the lazy and ignorant villains. There are many ways to fingerprint a system.

Answer 4

Prevailing wisdom is to remove the server ID and the version; better yet, change them to another legitimate server ID and version - that way the attacker goes off trying IIS vulnerabilites against apache or something like that. Might as well mislead the attacker.

Answer 5

It seems that some of the answers are missing an obvious advantage of turning off the headers.

Yes, you all are right; turning of the headers (and the statusline present e.g. at directory listings) does not stop an attacker from finding out what software you use.

However, turning this information off prevents malware which uses google to look for vulnerable systems from finding you.

tldr: Don't use it as a (or even as THE) security-measure, but as a measure to drive away unwanted traffic.

Answer 6

I normally turn off Apache's long header version information with ServerTokens; it adds nothing useful.

One point which nobody has picked up on, is it looks like better security to a prospective client, pen testing company etc, if you're giving out less information from your web server.

So giving less information out boosts the perceived security (i.e. it shows you have actually thought about it and done something)