mod_sesehe 0.1.0

mod_sesehe is an Apache module that disguises and removes the 'Server: ' HTTP header from responses.

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!
send us
an update
The Apache License 2.0 
Francois Pesce
ROOT \ Internet \ HTTP (WWW)
mod_sesehe is an Apache module that disguises and removes the "Server: " HTTP header from responses.

Although sending the Server header in HTTP responses is not defined as a MUST in RFC 2616, the Apache HTTP Server does not allow you to disable sending this header via it's configuration. You can reduce it to "Apache" by removing the version, or the additional modules with the ServerTokens directive. Despite what some people are saying, even mod_headers can't suppress it.

Excerpt from RFC:

"14.38 Server

The Server response-header field contains information about the software used by the origin server to handle the request. The field can contain multiple product tokens (section 3.8) and comments identifying the server and any significant subproducts. The product tokens are listed in order of their significance for identifying the application.

[ ... ]

If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45).

Note: Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.
In Apache httpd, the ServerTokens directive currently can at best be set to Prod, which will cause apache to return "Apache" as Server header. Some problem still occurs:
First, the level of security by obscurity of this directive is not acceptable by some people that just want to change it to some other value, without re-compiling Apache, or people that even want to simply drop the "Server: " header. Secondly, if apache is configured as a reverse proxy, and a malformed request is received, then it will display its own server token instead of the backend one, so we need to handle error response header.

I developed this tiny module by hijacking normal behavior of (reverse) proxy feature of Apache : i.e. even if a request is not a proxy request, I tag it as if it was, to make Apache core let me do what I want with this header.
Compilation and Installation

To build this module, you can proceed with a standard apxs line like this:

${APACHE_DIR}/bin/apxs -c -a -n sesehe ./mod_sesehe.c

Then, to install the compiled module, still use apxs:
${APACHE_DIR}/bin/apxs -i -a -n sesehe ./

Last updated on August 22nd, 2007

#HTTP header #Apache module #disguise HTTP header #HTTP #header #Apache #sesehe

Add your review!