I'm running Mod_Security and I'm using the SecServerSignature to customize the Server header that Apache returns. This part works fine, however I'm also running mod_fcgid which appends "mod_fcgid/2.3.5" to the header.
Is there any way I can turn this off? Setting ServerSignature off doesn't do anything. I was able to get it to go away by changing the ServerTokens but that removed the customization I had added.
Use
ServerTokensin a config file.ServerTokens
This directive configures what you return as the Server HTTP response Header. The default is 'Full' which sends information about the OS-Type and compiled in modules.
Set to one of:
Full|OS|Minor|Minimal|Major|ProdwhereFullconveys the most information, andProdthe least.I suggest to set it to
Prod, then they will only see that you are usingApache Server at domain.com Port 80.Don't forget to restart/reload the Apache config files!
https://httpd.apache.org/docs/2.2/mod/core.html#servertokens
ServerTokensis what manipulates theServerresponse header. (ServerSignatureis used for server generated documents.)However, if you want to completely control the
Serverheader I would suggest using theHeaderoption:as an example.
You may need to reorder the module loading in Apache so mod_security loads after mod_fcgi.
Read the "Server identity masking" section of the mod_security docs.
http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/06-special_features.html
Two notes: Mod_security will show the real server signature in the error_log which will be different than the one given to the public.
Second, the document also explains that SecServerSignature directive only works with ServerTokens set to "Full"
Mark