remove "server" from response header?

is it possible to edit the apache source so that the "server" response
header is removed altogether? the best i can come up with is editing -
include/ap_release.h and emptying "AP_SERVER_BASEPRODUCT"... but the
"server" header is still sent (empty). does anyone know a way to remove
it completely?

thanks,
adam.

adam barker wrote:

> is it possible to edit the apache source so that the "server" response
> header is removed altogether? the best i can come up with is editing -
> include/ap_release.h and emptying "AP_SERVER_BASEPRODUCT"... but the
> "server" header is still sent (empty). does anyone know a way to remove
> it completely?

Yours is the best method.

You need to rummage around in your include files to find all instances
of a server version, server type, server name and all that. I would like
to provide a precise example, but packages for Apache vary greatly;
include files change over time and versions.

For my server, if I remember correctly, I modified two include files
to accomplish your task.

There are software which will strip that header / information. However,
those software behave as a transparent proxy which inflicts a
performance hit.

Search through all of your include files. You will, eventually, find
all instances. Keep in mind, it is not usual to find a need to
modify multiple lines. Often a single line modification is not
all you need to modify. Data is presented in one include file,
and the actual print is in another include file. Another way of
stating this is data is "defined" in a file, then a different file
pulls that data for print. That is where your base header is.

You will need to be mindful of multiple header constructs.
This is, make sure your newline (\n) characters are not removed
where needed or left in where not needed. Those might be printed
independently of your header information. An example, you strip
your server header and end up with \n\n in your response data
because you did not strip a newline right after your server header
output in some (other) include file.

Be sure to keep safe backup copies of your files, and keep a
safe backup copy of your compiled Apache. Do this before
you make modifications and compile.

The easiest method, maybe the best method, is simply to
change your server version to something it is not. This
you have accomplished. Consider changing your server
information to a different server type, or simply insert
something humorous.

You have successfully accomplished your task of removing
server information. You might find it better to stop there.

Purl Gurl

"adam barker" <adamsbarker@gmail.com> wrote:

> is it possible to edit the apache source so that the "server" response
> header is removed altogether? the best i can come up with is editing -
> include/ap_release.h and emptying "AP_SERVER_BASEPRODUCT"... but the
> "server" header is still sent (empty). does anyone know a way to remove
> it completely?

security through obscurity is a bad idea.

A lot of "hacking" scripts don't even check the server version, hence
people see a lot of IIS hack attempts when they run Apache...

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html

thanks for that purl... also, john - why i want to do this has nothing
to do with security - it's to do with a waste of bytes being sent with
every response sent - "server: apache\n\r" adds up to a lot of wasted
bytes being sent if you have, say, 10 files being downloaded on one
page.

"adam barker" <adamsbarker@gmail.com> wrote:

> thanks for that purl... also, john - why i want to do this has nothing
> to do with security - it's to do with a waste of bytes being sent with
> every response sent - "server: apache\n\r" adds up to a lot of wasted
> bytes being sent if you have, say, 10 files being downloaded on one
> page.

Then use a compression module, since I am sure your HTML pages waste more
data then you can save with shaving a few bytes from the header.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html