I have a Rails application served using Apache 2 and Phusion Passenger. As a security measure I'm trying to supress all server-related HTTP headers. I've successfully turned off the Apache ones, but I'm having trouble using mod_headers to supress the Passenger ones. I've enabled mod_headers using the a2enmod command and restarted the Apache process, but the X-Powered-By and X-Runtime headers still appear.
This is my vhost file:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/deploy/public_html/railsapp/current/public
LogLevel warn
ErrorLog /home/deploy/public_html/railsapp/shared/log/error.log
CustomLog /home/deploy/public_html/railsapp/shared/log/access.log combined
# Suppress Phusion Passenger HTTP headers
<Location *>
<IfModule mod_headers.c>
Header unset X-Runtime
Header unset X-Powered-By
</IfModule>
</Location>
</VirtualHost>
- What am I doing wrong?
From the mod_headers docs:
The directives provided by mod_headers can occur almost anywhere within the server configuration. They are valid in the main server config and virtual host sections, inside , and sections, and within .htaccess files.
If you want this to apply to the whole vhost, why put it inside
<Location>tags? Just put the directives inside the main vhost config.I haven't tested this so apologies in advance if it's incorrect.
I don't have an Apache install to hand but
<Location *>looks suspect. The docs say:I suspect you're not matching any URLs. Try:
Leaving aside that it's still really easy to determine the server, at least to corse versions even eithout headers, and the "script kiddies" just try all attacks and don't bother to check versions anyway.
What happens if you remove the line, just leave the commands.
I'd wonder if it's even being loaded, try adding a static header to verify.