{
    "componentChunkName": "component---src-templates-docs-js",
    "path": "/cumulus/hide-webserver-version",
    "result": {"data":{"site":{"siteMetadata":{"title":"Linnaeus University","language":"en"}},"mdx":{"fields":{"id":"07c0799b-95a1-583b-8b7d-a78ef9126303","title":"Hide Webserver Version","slug":"/cumulus/hide-webserver-version"},"body":"var _excluded = [\"components\"];\n\nfunction _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsxRuntime classic */\n\n/* @jsx mdx */\nvar _frontmatter = {};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n      props = _objectWithoutProperties(_ref, _excluded);\n\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h1\", null, \"Hiding Version Information in Web Servers\"), mdx(\"h2\", null, \"Purpose\"), mdx(\"p\", null, \"Sunet continuously scans for vulnerabilities in public-facing systems. To minimize unnecessary\\nalerts and avoid being contacted by Sunet, it is important to take preventive measures. The purpose\\nof this guideline is to reduce false vulnerability alerts and limit exposure of technical information.\\nWeb servers should not expose version numbers or information about the underlying operating system\\nin HTTP headers.\"), mdx(\"p\", null, \"Exposing version information can lead to:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Unnecessary alerts in vulnerability scans  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Information leakage about the system environment  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Increased risk during targeted attacks\")), mdx(\"hr\", null), mdx(\"h2\", null, \"Verification of Current Configuration\"), mdx(\"p\", null, \"Check what information the server exposes by running:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"curl --head <DNS name or IP address>\\n\")), mdx(\"p\", null, \"Example:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"curl --head cu9999.cloud.lnu.se\\n\")), mdx(\"p\", null, \"If the response contains, for example:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-plaintext\"\n  }, \"    Server: nginx/1.14.0 (Ubuntu)\\n\")), mdx(\"p\", null, \"the version information is visible and the configuration needs adjustment.\"), mdx(\"p\", null, mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Notes on verification:\")), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"curl --head\"), \" (or \", mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"curl -I\"), \") only requests the HTTP headers, not the full page content.  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"You should specifically look at the \", mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"Server:\"), \" header to see if it contains versions or OS\\ninformation.  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"After correct configuration, headers should show only the server name, e.g., \", mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"Server: nginx\"), \", or\\nthe header may be removed entirely depending on configuration.\")), mdx(\"hr\", null), mdx(\"h2\", null, \"Configuration by Web Server\"), mdx(\"h3\", null, \"Nginx (Ubuntu)\"), mdx(\"p\", null, \"Applies to servers using Nginx on Ubuntu.\"), mdx(\"h4\", null, \"Action\"), mdx(\"ol\", null, mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Open the configuration file:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"sudo nano /etc/nginx/nginx.conf\\n\"))), mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Ensure the following line exists in the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"http\"), \" block. Often, \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"server_tokens off;\"), \" is already present\\nbut commented out\\u2014simply remove the # if that is the case:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-nginx\"\n  }, \"server_tokens off;\\n\")), mdx(\"p\", {\n    parentName: \"li\"\n  }, \" \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Explanation:\")), mdx(\"ul\", {\n    parentName: \"li\"\n  }, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"By default, Nginx sends \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"Server: nginx/<version> (<OS>)\"), \" in HTTP headers.  \")), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"With \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"server_tokens off;\"), \", the server will send only \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"Server: nginx\"), \".  \")), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"This hides the version number and operating system, reducing false vulnerability alerts.  \")), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Note: This does \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"not\"), \" remove the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"Server\"), \" header completely. Removing it entirely requires\\nthe \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"headers-more\"), \" module:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-nginx\"\n  }, \"more_clear_headers Server;\\n\"))))), mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Restart the service:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"sudo systemctl restart nginx.service\\n\"))), mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Verify the change with:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"curl --head <server name>\\n\")), mdx(\"p\", {\n    parentName: \"li\"\n  }, \"After the change, only the following should be shown:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-plaintext\"\n  }, \"    Server: nginx\\n\")))), mdx(\"hr\", null), mdx(\"h3\", null, \"Apache (Ubuntu)\"), mdx(\"p\", null, \"Applies to servers using Apache HTTP Server on Ubuntu.\"), mdx(\"h4\", null, \"Action\"), mdx(\"ol\", null, mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Open the security configuration:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"sudo nano /etc/apache2/conf-enabled/security.conf\\n\"))), mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Ensure the following settings are applied:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-apache\"\n  }, \"ServerTokens Prod\\nServerSignature Off\\n\")), mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Explanation:\"), mdx(\"ul\", {\n    parentName: \"li\"\n  }, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"ServerTokens Prod\"), \" limits the header information to just \", mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"Apache\"), \".  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"li\"\n  }, \"ServerSignature Off\"), \" removes version information from error pages.\"))), mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Restart the service:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"sudo systemctl restart apache2.service\\n\"))), mdx(\"li\", {\n    parentName: \"ol\"\n  }, mdx(\"p\", {\n    parentName: \"li\"\n  }, \"Verify with:\"), mdx(\"pre\", {\n    parentName: \"li\"\n  }, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-bash\"\n  }, \"curl --head <server name>\\n\")))), mdx(\"hr\", null), mdx(\"h3\", null, \"Caddy\"), mdx(\"p\", null, \"Caddy does not expose version numbers by default.\"), mdx(\"p\", null, \"No action is required.\"), mdx(\"hr\", null), mdx(\"h2\", null, \"Requirements\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Web servers must not expose version numbers in HTTP headers.  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Configuration changes must be verified.  \"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Checks should be included in regular security reviews and during new installations.\")));\n}\n;\nMDXContent.isMDXComponent = true;","tableOfContents":{"items":[{"url":"#hiding-version-information-in-web-servers","title":"Hiding Version Information in Web Servers","items":[{"url":"#purpose","title":"Purpose"},{"url":"#verification-of-current-configuration","title":"Verification of Current Configuration"},{"url":"#configuration-by-web-server","title":"Configuration by Web Server","items":[{"url":"#nginx-ubuntu","title":"Nginx (Ubuntu)","items":[{"url":"#action","title":"Action"}]},{"url":"#apache-ubuntu","title":"Apache (Ubuntu)","items":[{"url":"#action-1","title":"Action"}]},{"url":"#caddy","title":"Caddy"}]},{"url":"#requirements","title":"Requirements"}]}]},"parent":{"relativePath":"cumulus/hide-webserver-version.md"},"frontmatter":{"metaTitle":null,"metaDescription":null}},"allMdx":{"edges":[{"node":{"fields":{"slug":"/","title":"Manuals"}}},{"node":{"fields":{"slug":"/coursepress","title":"CoursePress"}}},{"node":{"fields":{"slug":"/coursepress/om-wordpress","title":"Om CoursePress (WordPress)"}}},{"node":{"fields":{"slug":"/cumulus/cumulus-camp-server-certificate","title":"Securing Your Cumulus Campus Network Server with TLS Certificate"}}},{"node":{"fields":{"slug":"/cumulus/hide-webserver-version","title":"Hide Webserver Version"}}},{"node":{"fields":{"slug":"/cscloud/connect-to-server","title":"Connect to a Server"}}},{"node":{"fields":{"slug":"/cscloud","title":"CSCloud"}}},{"node":{"fields":{"slug":"/cumulus","title":"Cumulus"}}},{"node":{"fields":{"slug":"/gitlab/export-project","title":"Export your GitLab Projects to GitHub"}}},{"node":{"fields":{"slug":"/gitlab/hand-in-assignment-mr","title":"Submit Assignment as Merge Request"}}},{"node":{"fields":{"slug":"/cumulus/how-to-connect-to-a-cumulus-server","title":"How to Connect to a Cumulus Server"}}},{"node":{"fields":{"slug":"/gitlab/ssh-troubleshooting","title":"SSH Troubleshooting"}}},{"node":{"fields":{"slug":"/gitlab","title":"GitLab"}}},{"node":{"fields":{"slug":"/other","title":"Other"}}},{"node":{"fields":{"slug":"/other/azure","title":"Azure Dev Tools"}}},{"node":{"fields":{"slug":"/sandbox/basic-elements","title":"Basic elements"}}},{"node":{"fields":{"slug":"/sandbox/code","title":"Code"}}},{"node":{"fields":{"slug":"/sandbox/exercise","title":"Exercises"}}},{"node":{"fields":{"slug":"/sandbox/frontmatter","title":"Frontmatter"}}},{"node":{"fields":{"slug":"/sandbox/hint","title":"Hint"}}},{"node":{"fields":{"slug":"/sandbox","title":"Sandbox"}}},{"node":{"fields":{"slug":"/sandbox/markdown-import","title":"Imported markdown"}}},{"node":{"fields":{"slug":"/sandbox/mermaid","title":"Mermaid"}}},{"node":{"fields":{"slug":"/sandbox/tabs","title":"Tabs"}}},{"node":{"fields":{"slug":"/sandbox/youtube","title":"YouTube"}}},{"node":{"fields":{"slug":"/gitlab/git/group-projects","title":"Group projects"}}},{"node":{"fields":{"slug":"/gitlab/git/commit-messages","title":"Commit Messages"}}},{"node":{"fields":{"slug":"/gitlab/git/introduction","title":"Introduction to Git"}}},{"node":{"fields":{"slug":"/gitlab/git","title":"Git"}}},{"node":{"fields":{"slug":"/gitlab/git/multiple-computers","title":"Multiple computers"}}},{"node":{"fields":{"slug":"/gitlab/git/setup","title":"Setup"}}},{"node":{"fields":{"slug":"/gitlab/git/working-with-git","title":"Working with git"}}}]}},"pageContext":{"id":"07c0799b-95a1-583b-8b7d-a78ef9126303"}},
    "staticQueryHashes": ["253607798","3706406642","710574383"]}