0

our security auditor scanned our system and here is what come up on the apache server :

-Server header: Apache exposed on port: 80
-Server header: Apache exposed on port: 443

Here are some lines in my config header :

Listen 80
ServerName localhost:80
ServerTokens Prod
ServerSignature Off

I have no clue how to fix this. What does that mean ? How can I solve this ?

Apache/2.4.54 (Win64)

xarj
  • 3
  • 2
  • 1
    It sounds like you only got the summary. Most audit reports come with more detailed findings, explanations and recommendations on why the finding is a risk/vulnerability (and often a hint what to fix). This is not enough to advise you. – HBruijn Aug 19 '22 at 14:42
  • @HBruijn I edited my answer with more info. – xarj Aug 30 '22 at 15:45

1 Answers1

1

You can change server header by adding something like:

ServerTokens Prod
SecServerSignature “bla bla bla”

for config for port 80 and port 443. But will be wise not to add random string, but imitate other web server.

TLS misconfig can be corrected when we can see your TLS config

About security headers add following headers:

  1. HTTP Strict Transport Security (HSTS)
  2. Content Security Policy (CSP)
  3. X-XSS-Protection
  4. X-Frame-Options
  5. X-Content-Type-Options
  6. Referrer-Policy
  7. Permissions-Policy

For more details about these headers check here.

Romeo Ninov
  • 3,195
  • 2
  • 13
  • 16
  • 1
    Generally security scanners and auditors prefer [`ServerTokens Prod`](https://httpd.apache.org/docs/current/mod/core.html#servertokens) and less information disclosure rather than `Full` (not that adjusting that will make your web server more secure or anything). – HBruijn Aug 19 '22 at 14:39
  • 1
    @HBruijn, Thank you, will update the answer – Romeo Ninov Aug 19 '22 at 14:44
  • Where can I find server header file ? It is an apache server on windows. There is apache/modules/mod_headers.so but I can't read the file. In httpd.conf there is ServerTokens Prod ServerSignature Off TLS is fixed. It was a problem with obsolete CBC ciphers keys. – xarj Aug 26 '22 at 14:53
  • @xarj, there header configurations are in config files of apache. – Romeo Ninov Aug 26 '22 at 15:06
  • I managed to fix all security headers. I still don't see how to fix -Server header: Apache exposed on port: 80 -Server header: Apache exposed on port: 443. Here are some lines in my header config : Listen 80 ServerName localhost:80 ServerTokens Prod ServerSignature Off – xarj Aug 30 '22 at 08:57
  • Please, see my edited post for more infos – xarj Aug 30 '22 at 09:04