Print

[itspeaks]

Hi,

I have a requirement to remove as much identifying data from the headers as possible.

I've been searching like mad for the item that generates the Header item "X-Distributed-by".

With Default settings, the line appears twice in my http response:
X-Distributed-by   AHC
X-Distributed-by   AHC

I've tried using   "Header unset X-Distributed-by " but then it only appears once.


below is my config...

<IfModule mod_headers.c>
   Header append Vary User-Agent env=!dont-vary
   Header unset Via
   Header unset X-Distributed-by
   Header set Server " "
   </IfModule>


Any suggestions?

Running: Apache/2.4.12 (Win32) PHP/5.3.29

[Gregg]

I've never seen it twice. Are you running one as a frontend proxying to another on the backend? Do it to both.

[itspeaks]

Thanks Greg - I am running a proxy Server and application server with FCGID.

Even with that setup on both servers the X-Distributed-by header still comes back with AHC as the Value.

My biggest issue is that I can't find documentation on where this tag comes from or what AHC stands for (I'm hoping it has something to do with Apache Haus!)

I need to be able to explain if it is a security risk exposing the distribution.

Thanks again.

[Gregg]

It does. I'm surprised it cannot be removed however in the manner you have tried.

2.4.13 & 2.2.30 will not have it. These are scheduled for next week but anytime I've predicted (based on talk on the dev mailing list) I've never been right.

I happened to read something just last week on this very subject. Of course the aim was to hide the fact you may have old versions running and not just of Apache. My feelings are these people looking for vulnerable software versions throw everything at you anyway, I get scans looking for all sorts of stuff I do not even have. Because of this, obscurity will not protect you. Only staying up to date on your software will.

Regardless of my opinion on the above, it will be gone next release. That decision was already made.

[itspeaks]

Great to hear! Thanks!