Masking the Server header in an HTTP response is the first step in server anonymization. Explore how to accomplish this task on the world's most popular Web servers:


Masking the Microsoft IIS Server Header

You can write a custom ISAPI filter to alter the Server header in Microsoft IIS. However, there is a particular art to writing ISAPI filters, and this is not a good place to start learning the craft. You could use Microsoft's free URLScan tool and alter the Server header in the URLScan.INI file. However, be careful using URLScan to change the Server header if you are running Cold Fusion application server, since there is a known interoperability problem that results in some of the HTTP headers being dumped into the Web page. In fact, removing (rather than replacing) the Server header is the way to go when using URLScan, since attempting to change it simply pushes it to the bottom of the header order on IIS 5.0. This creates a header signature unique to IIS running URLScan, thereby defeating the purpose of masking the Server header in the first place.

We here at Port80 believe that the best way to remove the Server header and to mask other telltale signs that you are running Microsoft IIS is with ServerMask, our IIS security module. For more information on server anonymization, read this article that covers a variety of Web server hacker fingerprinting techniques and countermeasures.


Masking the Apache Server Header

Historically, one of Apache's advantages over IIS has been it's superior configurability, and this is also applies to masking the server's identity. The standard distribution of Apache includes an extension module called mod_headers which allows HTTP headers to be replaced or removed.

The mod_headers module makes available Header and ErrorHeader. By using both of these directives with the "set" argument in the main server configuration section of Apache's httpd.conf, system administrators can ensure that the server will send the altered Server header value with all HTTP responses:

Header set Server "newservername"
ErrorHeader set Server "newservername"

Although mod_headers is part of Apache's standard distribution, it is an "extension" rather than a "base" module, meaning that it is not compiled and loaded by default. Accordingly, system administrators will normally have to re-compile Apache in order to get access to the Header and ErrorHeader directives.

Unfortunately, mod_headers cannot alter the Server header in versions of Apache prior to 2.X, so 1.3.x users will have to resort to editing the defines in httpd.h and recompiling Apache to get the same result.