Bug#843014: Apache2: ServerTokens Minimal
Package: apache2
Version: 2.4.23-5
Severity: wishlist
Dear maintainer,
/etc/apache2/conf-available/security.conf currently defaults to
ServerTokens OS
This results in a header like:
Server: Apache/2.4.10 (Debian)
Sending the Apache and OS version is a waste of bandwidth.
Unfortunately Apache does not allow to completely suppress this
superfluous header.
Furthermore the current setting exposes valuable information to a
possible intruder:
Why should any HTTP client care which OS my server is using?
Please, change the default to
ServerTokens Minimal
Best regards
Heinrich Schuchardt
Reply to: