Thread: Prevent Apache and PHP from displaying too much information

Ever hit a 404 page on someone's web site, and at the bottom see all of the information about their server? You might see the version of Apache they are running, which modules they use, what version of PHP they have and a bunch of other stuff.

This information can be useful to hackers! Knowing what software is running and how it is configured can be a starting point for them to find an attack vector.

Here are two simple settings for your httpd.conf file to prevent this:

Code:

ServerTokens ProductOnly
ServerSignature Off

Do a text search your config to see if you already have these directives before you add them. If you already have them and they are set to 'On' just change them to the settings above.

Good info!

One other thing, if it is a cPanel server, don't edit httpd.conf directly unless you are advanced and familiar with the Apache distiller. Instead, log into WHM and go to Apache Configuration --> Global Configuration and you will see the settings for ServerSignature and ServerTokens.

Quick checked mine and found I had to change 1 item on both my cpanel servers

Or just make sure no-one can see your default 404 page, like I said in that other thread:

You can make your own 404 page easily enough.

Just make a .htaccess file and use this:

ErrorDocument 404 /notfound.php

Where /notfound.php is your 404 page file. You can do it with any of the error pages.

I guess making sure it can't be seen at the server end of things is probably better, but this is a good alternative for those who don't have access to their server (e.g. shared hosting).

I send all my error pages on my main sites direct back to the index myself.

Originally Posted by grim

I send all my error pages on my main sites direct back to the index myself.

I used to do that, but then someone pointed out to me that it's much better to actually tell the user that they have stumbled upon a page that doesn't exist than just have it go back to the main page. Having it on it's own page also means you can track where/how the user came to that page - storing the URL they came from in the database for you to go and look at to see where/how and see if you can fix it.

I do it on ecom sites, most users have no clue and an error page confuses them more than anything. Some even think it means the site is totally broken/not secure.

Originally Posted by tsdesigns

Or just make sure no-one can see your default 404 page, like I said in that other thread

True. While you're at it you might want to create custom pages for other error messages. Different error codes show the server info as well. The .htaccess code would look something like:

Code:

ErrorDocument 400 /400.html
ErrorDocument 401 /401.html
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html

Then the corresponding pages would need to be created and placed in the website's root directory.