Why do some web servers still provide information on vendor and version in the HTTP response headersCascaded Sudo for privilege elevationWas I a victim of an “Apache PHP Remote Exploit” attack?How long do HTML password fields (sent to the server as postdata) remain in memory?Why are web servers ubiquitously configured by blacklisting inaccessible files instead of whitelisting the accessible ones?Is an SSL/TLS HTTPS certificate 'fingerprinting' attack possible?Security issues for host system when running a home web server on a VMAre there any problems with using CAMELLIA, IDEA and SEED based cipher suites on a web server in 2016?Server-side man-in-the-middle/eavesdropping: attacks between two servers using unencrypted HTTPAre there any sequences other than ../ which will be intepreted as directory traversal in *nix or Windows?Am I exposing myself to attacks when running my test server while connected to a commercial VPN?

What did Rex Kramer mean by routing the plane in Lake Michigan?

Is there an appropriate response to "Jesus Loves You"?

How many flight hours do the first retiring A380s have?

How do sound waves travel and their reflections?

What are the possible punishments for an impeached USA president?

What's the name of this windows feature?

Chess Tournaments without Studying Theory?

What can I do at Hong Kong Airport for 13 hours?

Why give an android emotions?

Homomorphic Modular Reduction for Secure Storage

Can you counterspell a spell if you don't know who's casting it?

How do I recover from a cryptocurrency scam?

Which Grows Faster: Factorial or Double Exponentiation

Why the highlighted outline in animated cartoons?

Dropping "to be" and other verbs in Latin?

Two voices for a solo singer written in a sheet music

Is there any benefit of being treated as "professor" by students and admin?

How do you help a new player evaluate complex multiclassing options without driving them and yourself crazy?

Is there any canon reason why urban werewolves haven't destroyed vampires (or vice versa)?

What is the difference between "more" and "less" commands?

What does Lion Air faking the repair of the AoA vane mean for the Florida repair shop that ceased operations?

Is there any conceivable way to "turn off" a star?

Why does the forward voltage drop in a diode vary slightly when there is a change in the diode current?

Sending non-work emails to colleagues. Is it rude?



Why do some web servers still provide information on vendor and version in the HTTP response headers


Cascaded Sudo for privilege elevationWas I a victim of an “Apache PHP Remote Exploit” attack?How long do HTML password fields (sent to the server as postdata) remain in memory?Why are web servers ubiquitously configured by blacklisting inaccessible files instead of whitelisting the accessible ones?Is an SSL/TLS HTTPS certificate 'fingerprinting' attack possible?Security issues for host system when running a home web server on a VMAre there any problems with using CAMELLIA, IDEA and SEED based cipher suites on a web server in 2016?Server-side man-in-the-middle/eavesdropping: attacks between two servers using unencrypted HTTPAre there any sequences other than ../ which will be intepreted as directory traversal in *nix or Windows?Am I exposing myself to attacks when running my test server while connected to a commercial VPN?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









38


















I think in the security field it is a well-known fact that its not a good idea to let the web server vendor (e.g. Apache) and the version be visible to the outside as this can be used to launch targeted attacks against a specific server implementation.



I launched an Apache 2.4 Docker container to see whether that is still the case - and yes, it is.



I thought a bit about it. Wouldn't it be great to have a standard that web servers can implement against which defines a standard feature set that is versioned using semantic versioning?



This way, applications can still handle different server versions (which seems as the only reason why I would want to see the version from the outside) - but at least the vendor of the web server could be hidden. That would be at least one more hurdle an attacker has to deal with.



What do you think?










share|improve this question




















  • 17





    The standard feature set you are talking about is called HTTP(S)?

    – Bergi
    Oct 17 at 7:41






  • 6





    It's about as unsafe as it is safe to hide the server vendor/version. Hiding it is security through obscurity and provides only the shallowest of safety against the most ignorant attackers.

    – Gloweye
    Oct 17 at 12:56






  • 5





    But seeing your proposed "standard header" will "tell" an attacker you're using at least version x.yy of Apache, or at least version a.bb of Nginx (the hypothetical versions where each adopted the use of standard headers). As answers here, and to a similar question about versions of an API note, not showing a version is only a minor hindrance to an attacker, but can a pain-in-the-proverbial to someone supporting a system.

    – TripeHound
    Oct 17 at 13:05






  • 14





    The main reason to hide the server version these days is so the PCI scan passes.

    – jdgregson
    Oct 17 at 18:25






  • 4





    "I think in the security field it is a well-known fact that its not a good idea to let the web server vendor and the version be visible to the outside ..." - I don't think there's any real consensus on that.

    – marcelm
    Oct 17 at 23:15

















38


















I think in the security field it is a well-known fact that its not a good idea to let the web server vendor (e.g. Apache) and the version be visible to the outside as this can be used to launch targeted attacks against a specific server implementation.



I launched an Apache 2.4 Docker container to see whether that is still the case - and yes, it is.



I thought a bit about it. Wouldn't it be great to have a standard that web servers can implement against which defines a standard feature set that is versioned using semantic versioning?



This way, applications can still handle different server versions (which seems as the only reason why I would want to see the version from the outside) - but at least the vendor of the web server could be hidden. That would be at least one more hurdle an attacker has to deal with.



What do you think?










share|improve this question




















  • 17





    The standard feature set you are talking about is called HTTP(S)?

    – Bergi
    Oct 17 at 7:41






  • 6





    It's about as unsafe as it is safe to hide the server vendor/version. Hiding it is security through obscurity and provides only the shallowest of safety against the most ignorant attackers.

    – Gloweye
    Oct 17 at 12:56






  • 5





    But seeing your proposed "standard header" will "tell" an attacker you're using at least version x.yy of Apache, or at least version a.bb of Nginx (the hypothetical versions where each adopted the use of standard headers). As answers here, and to a similar question about versions of an API note, not showing a version is only a minor hindrance to an attacker, but can a pain-in-the-proverbial to someone supporting a system.

    – TripeHound
    Oct 17 at 13:05






  • 14





    The main reason to hide the server version these days is so the PCI scan passes.

    – jdgregson
    Oct 17 at 18:25






  • 4





    "I think in the security field it is a well-known fact that its not a good idea to let the web server vendor and the version be visible to the outside ..." - I don't think there's any real consensus on that.

    – marcelm
    Oct 17 at 23:15













38













38









38


3






I think in the security field it is a well-known fact that its not a good idea to let the web server vendor (e.g. Apache) and the version be visible to the outside as this can be used to launch targeted attacks against a specific server implementation.



I launched an Apache 2.4 Docker container to see whether that is still the case - and yes, it is.



I thought a bit about it. Wouldn't it be great to have a standard that web servers can implement against which defines a standard feature set that is versioned using semantic versioning?



This way, applications can still handle different server versions (which seems as the only reason why I would want to see the version from the outside) - but at least the vendor of the web server could be hidden. That would be at least one more hurdle an attacker has to deal with.



What do you think?










share|improve this question














I think in the security field it is a well-known fact that its not a good idea to let the web server vendor (e.g. Apache) and the version be visible to the outside as this can be used to launch targeted attacks against a specific server implementation.



I launched an Apache 2.4 Docker container to see whether that is still the case - and yes, it is.



I thought a bit about it. Wouldn't it be great to have a standard that web servers can implement against which defines a standard feature set that is versioned using semantic versioning?



This way, applications can still handle different server versions (which seems as the only reason why I would want to see the version from the outside) - but at least the vendor of the web server could be hidden. That would be at least one more hurdle an attacker has to deal with.



What do you think?







webserver fingerprinting






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 16 at 19:08









pudelwudelpudelwudel

5193 silver badges7 bronze badges




5193 silver badges7 bronze badges










  • 17





    The standard feature set you are talking about is called HTTP(S)?

    – Bergi
    Oct 17 at 7:41






  • 6





    It's about as unsafe as it is safe to hide the server vendor/version. Hiding it is security through obscurity and provides only the shallowest of safety against the most ignorant attackers.

    – Gloweye
    Oct 17 at 12:56






  • 5





    But seeing your proposed "standard header" will "tell" an attacker you're using at least version x.yy of Apache, or at least version a.bb of Nginx (the hypothetical versions where each adopted the use of standard headers). As answers here, and to a similar question about versions of an API note, not showing a version is only a minor hindrance to an attacker, but can a pain-in-the-proverbial to someone supporting a system.

    – TripeHound
    Oct 17 at 13:05






  • 14





    The main reason to hide the server version these days is so the PCI scan passes.

    – jdgregson
    Oct 17 at 18:25






  • 4





    "I think in the security field it is a well-known fact that its not a good idea to let the web server vendor and the version be visible to the outside ..." - I don't think there's any real consensus on that.

    – marcelm
    Oct 17 at 23:15












  • 17





    The standard feature set you are talking about is called HTTP(S)?

    – Bergi
    Oct 17 at 7:41






  • 6





    It's about as unsafe as it is safe to hide the server vendor/version. Hiding it is security through obscurity and provides only the shallowest of safety against the most ignorant attackers.

    – Gloweye
    Oct 17 at 12:56






  • 5





    But seeing your proposed "standard header" will "tell" an attacker you're using at least version x.yy of Apache, or at least version a.bb of Nginx (the hypothetical versions where each adopted the use of standard headers). As answers here, and to a similar question about versions of an API note, not showing a version is only a minor hindrance to an attacker, but can a pain-in-the-proverbial to someone supporting a system.

    – TripeHound
    Oct 17 at 13:05






  • 14





    The main reason to hide the server version these days is so the PCI scan passes.

    – jdgregson
    Oct 17 at 18:25






  • 4





    "I think in the security field it is a well-known fact that its not a good idea to let the web server vendor and the version be visible to the outside ..." - I don't think there's any real consensus on that.

    – marcelm
    Oct 17 at 23:15







17




17





The standard feature set you are talking about is called HTTP(S)?

– Bergi
Oct 17 at 7:41





The standard feature set you are talking about is called HTTP(S)?

– Bergi
Oct 17 at 7:41




6




6





It's about as unsafe as it is safe to hide the server vendor/version. Hiding it is security through obscurity and provides only the shallowest of safety against the most ignorant attackers.

– Gloweye
Oct 17 at 12:56





It's about as unsafe as it is safe to hide the server vendor/version. Hiding it is security through obscurity and provides only the shallowest of safety against the most ignorant attackers.

– Gloweye
Oct 17 at 12:56




5




5





But seeing your proposed "standard header" will "tell" an attacker you're using at least version x.yy of Apache, or at least version a.bb of Nginx (the hypothetical versions where each adopted the use of standard headers). As answers here, and to a similar question about versions of an API note, not showing a version is only a minor hindrance to an attacker, but can a pain-in-the-proverbial to someone supporting a system.

– TripeHound
Oct 17 at 13:05





But seeing your proposed "standard header" will "tell" an attacker you're using at least version x.yy of Apache, or at least version a.bb of Nginx (the hypothetical versions where each adopted the use of standard headers). As answers here, and to a similar question about versions of an API note, not showing a version is only a minor hindrance to an attacker, but can a pain-in-the-proverbial to someone supporting a system.

– TripeHound
Oct 17 at 13:05




14




14





The main reason to hide the server version these days is so the PCI scan passes.

– jdgregson
Oct 17 at 18:25





The main reason to hide the server version these days is so the PCI scan passes.

– jdgregson
Oct 17 at 18:25




4




4





"I think in the security field it is a well-known fact that its not a good idea to let the web server vendor and the version be visible to the outside ..." - I don't think there's any real consensus on that.

– marcelm
Oct 17 at 23:15





"I think in the security field it is a well-known fact that its not a good idea to let the web server vendor and the version be visible to the outside ..." - I don't think there's any real consensus on that.

– marcelm
Oct 17 at 23:15










5 Answers
5






active

oldest

votes


















52



















Yes, in theory by advertising vendor and version in the banner makes an attacker's job easier, but like only a little bit.



Even if you don't advertise it, it can be figured out from the behaviour of the app. Take for example, the network scanning tool nmap:




Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.




Source: wikipedia




After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.




Source: nmap documentation.



Basically, nmap will start by trying to decide if it's apache / nginx / IIS, etc, which it will do by sending a specific packet to which it knows that the different web servers will respond differently. Then, once it knows that it's apache, it will send packets that target behaviours that have changed between one version and another, possibly because of a bug fix or because of a new feature.



As noted by @paj28 in comments, nmap is quite good at detecting the vendor, but hit-and-miss with version, when nmap displays detailed version info, that's probably because there was a banner. Of course, if you're trying to hack in, why bother trying to figure out version at all; once you know it's apache, why not just run all the apache exploit scripts from metasploit at it and see if any of them stick?



So yes, in theory it's possible to write a specification for "Here's how all web servers MUST behave", but that means that you're not allowing web servers to ever innovate, or fix bugs. Moreover, web servers will want to differentiate themselves with features that other servers don't have.



As pointed out by @TripeHound, version banners can be considered a win for security as they allow sysadmins to easily inventory their systems and keep them up to date.




TL;DR: Banner or not, you can figure out what web server and OS you're talking to.




Nmap Example



Since this post got popular, I'll add and some examples:



Apache httpd puts version info right in an HTTP header:



HTTP/1.1 200 OK
Date: Thu, 17 Oct 2019 14:26:10 GMT
Server: Apache/2.4.6 (CentOS)


and unsurprisingly, nmap picks this up:



 ~ nmap 192.168.56.107 -p 80 -A --version-all

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 07:58 EDT
Nmap scan report for 192.168.56.107
Host is up (0.0020s latency).

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((CentOS))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: Apache HTTP Server Test Page powered by CentOS

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds


If we try something a bit trickier, Apache Tomcat does not give an obvious banner:



HTTP/1.1 200 
Accept-Ranges: bytes
ETag: W/"1896-1527518937672"
Last-Modified: Mon, 28 May 2018 14:48:57 GMT
Content-Type: text/html
Content-Length: 1896
Date: Thu, 17 Oct 2019 14:35:05 GMT
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Apache Tomcat</title>
</head>
...


we see that nmap gets the vendor right, but does not have a guess at the version:



~ nmap -A -p 8080 192.168.56.1

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 10:34 EDT
Nmap scan report for 192.168.56.1
Host is up (0.0013s latency).

PORT STATE SERVICE VERSION
8080/tcp open http Apache Tomcat
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.71 seconds





share|improve this answer






















  • 28





    The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

    – Ghedipunk
    Oct 16 at 20:03






  • 2





    While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

    – paj28
    Oct 17 at 14:00






  • 1





    I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

    – JimmyJames
    Oct 17 at 14:33











  • Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

    – Mike Ounsworth
    Oct 17 at 14:39











  • Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

    – pudelwudel
    Oct 17 at 20:17


















28



















Attackers just do not care. When you have a popular website, you find bots probing for every (vulnerable) version of phpmyadmin on every conceivable path, even when your site does not use a database at all. In the same manner, they probably probe for security holes in every version of, e.g., apache. Lying on or omitting the Server header does not buy you much security here.



But when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched, what may prevent you from forgetting that you did not update, yet.



Of course your concerns are valid, e.g., when somebody is gathering information and may manually sort out exploits, that would work when they knew the right version, but in most cases it is just security by obscurity. The important point is, that you should make sure to keep the software updated, so you do not need to care about an attacker knowing that you run the latest version.






share|improve this answer




















  • 13





    "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

    – Luc
    Oct 17 at 8:57






  • 1





    If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

    – Luc
    Oct 17 at 12:24






  • 2





    It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

    – allo
    Oct 17 at 14:01






  • 1





    @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

    – Luc
    Oct 17 at 17:31







  • 2





    @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

    – JimmyJames
    Oct 17 at 17:48


















13



















Historically, many servers returned headers like this:




Server: Apache/2.4.1 (Unix) mod_php/1.2 mod_ssl/0.9




This does give away a bit more information than you want, so most servers now default to headers like this:




Server: Apache




In fact, most web servers make it difficult to turn off this header. The reason? Marketing. They want to appear in surveys of what the most common web servers are.



Regarding fingerprinting, a number of tools can quite reliably determine Apache vs NGINX vs IIS, etc. But fingerprinting the version of a server is much harder, open source tools do not do it well, and it is impossible with any granularity.






share|improve this answer






















  • 2





    I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

    – Christopher Schultz
    Oct 18 at 19:24











  • @ChristopherSchultz - how exactly did you turn it off for Apache?

    – paj28
    Oct 19 at 11:24


















5



















As said, it's not a security issue to leave it, and it's a useful information for some client programs. Take curl for instance: it uses the Server header value to check if HTTP pipelining can be enabled:



Taken from https://serverfault.com/a/596560/347610




[curl shows this message when run in verbose mode -v]:



* Server Apache/... is not blacklisted



It is an internal message from curl.
Seems to be part of a curl feature related to pipelining.




See also https://daniel.haxx.se/blog/2013/03/26/better-pipelining-in-libcurl-7-30-0/




a server blacklist [note: "based off the Server header"] that allows the application to specify a list of servers for which HTTP pipelining should not be attempted – real world tests has proven that some servers are too broken to be allowed to play the game




Hence why it's still enabled by default, and is totally harmless (just keep your server up to date). It's somehow the server's version of User-Agent header.






share|improve this answer

























  • I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

    – Luc
    Oct 17 at 18:29











  • If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

    – Christopher Schultz
    Oct 18 at 19:25











  • @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

    – Xenos
    Oct 19 at 11:50


















1



















Because hiding version information is a weak security measure and a form of security through obscurity. The amount of security it adds is debatable, given that a) attackers can still fingerprint and probably determine your server, version and mods within a narrow margin of error and b) attackers can simply throw their whole library of exploits at you anyway.



In most scenarios, all you do is add a bit of time and effort for the attacker. The only scenario where you actually win something is if an attacker prepares a large attack by scanning entire networks to focus his later attack only on servers found vulnerable (i.e. he wants to compromise as many sites as possible in as short a time as possible) and he doesn't use fingerprinting or it doesn't work reliably on your site.



That's why turning off version information in production is one of those low-hanging fruits we usually do or advise simply because it does little harm and might do a little good, so why not?



During development, not being able to check the version from outside can cause additional work (log in to system, check there with commandline tools), or may not even be possible because the devs can't directly access the server, so in development version numbers are usually not turned off.



Your docker image does not know if it will be used for production or development. That's why it keeps version numbers on - it would do more harm in one setting than it does good in the other.






share|improve this answer


























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );














    draft saved

    draft discarded
















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219703%2fwhy-do-some-web-servers-still-provide-information-on-vendor-and-version-in-the-h%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown


























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    52



















    Yes, in theory by advertising vendor and version in the banner makes an attacker's job easier, but like only a little bit.



    Even if you don't advertise it, it can be figured out from the behaviour of the app. Take for example, the network scanning tool nmap:




    Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.




    Source: wikipedia




    After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.




    Source: nmap documentation.



    Basically, nmap will start by trying to decide if it's apache / nginx / IIS, etc, which it will do by sending a specific packet to which it knows that the different web servers will respond differently. Then, once it knows that it's apache, it will send packets that target behaviours that have changed between one version and another, possibly because of a bug fix or because of a new feature.



    As noted by @paj28 in comments, nmap is quite good at detecting the vendor, but hit-and-miss with version, when nmap displays detailed version info, that's probably because there was a banner. Of course, if you're trying to hack in, why bother trying to figure out version at all; once you know it's apache, why not just run all the apache exploit scripts from metasploit at it and see if any of them stick?



    So yes, in theory it's possible to write a specification for "Here's how all web servers MUST behave", but that means that you're not allowing web servers to ever innovate, or fix bugs. Moreover, web servers will want to differentiate themselves with features that other servers don't have.



    As pointed out by @TripeHound, version banners can be considered a win for security as they allow sysadmins to easily inventory their systems and keep them up to date.




    TL;DR: Banner or not, you can figure out what web server and OS you're talking to.




    Nmap Example



    Since this post got popular, I'll add and some examples:



    Apache httpd puts version info right in an HTTP header:



    HTTP/1.1 200 OK
    Date: Thu, 17 Oct 2019 14:26:10 GMT
    Server: Apache/2.4.6 (CentOS)


    and unsurprisingly, nmap picks this up:



     ~ nmap 192.168.56.107 -p 80 -A --version-all

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 07:58 EDT
    Nmap scan report for 192.168.56.107
    Host is up (0.0020s latency).

    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd 2.4.6 ((CentOS))
    | http-methods:
    |_ Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.6 (CentOS)
    |_http-title: Apache HTTP Server Test Page powered by CentOS

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds


    If we try something a bit trickier, Apache Tomcat does not give an obvious banner:



    HTTP/1.1 200 
    Accept-Ranges: bytes
    ETag: W/"1896-1527518937672"
    Last-Modified: Mon, 28 May 2018 14:48:57 GMT
    Content-Type: text/html
    Content-Length: 1896
    Date: Thu, 17 Oct 2019 14:35:05 GMT
    Connection: close

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>Apache Tomcat</title>
    </head>
    ...


    we see that nmap gets the vendor right, but does not have a guess at the version:



    ~ nmap -A -p 8080 192.168.56.1

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 10:34 EDT
    Nmap scan report for 192.168.56.1
    Host is up (0.0013s latency).

    PORT STATE SERVICE VERSION
    8080/tcp open http Apache Tomcat
    | http-methods:
    |_ Potentially risky methods: PUT DELETE
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-title: Apache Tomcat

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 21.71 seconds





    share|improve this answer






















    • 28





      The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

      – Ghedipunk
      Oct 16 at 20:03






    • 2





      While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

      – paj28
      Oct 17 at 14:00






    • 1





      I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

      – JimmyJames
      Oct 17 at 14:33











    • Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

      – Mike Ounsworth
      Oct 17 at 14:39











    • Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

      – pudelwudel
      Oct 17 at 20:17















    52



















    Yes, in theory by advertising vendor and version in the banner makes an attacker's job easier, but like only a little bit.



    Even if you don't advertise it, it can be figured out from the behaviour of the app. Take for example, the network scanning tool nmap:




    Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.




    Source: wikipedia




    After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.




    Source: nmap documentation.



    Basically, nmap will start by trying to decide if it's apache / nginx / IIS, etc, which it will do by sending a specific packet to which it knows that the different web servers will respond differently. Then, once it knows that it's apache, it will send packets that target behaviours that have changed between one version and another, possibly because of a bug fix or because of a new feature.



    As noted by @paj28 in comments, nmap is quite good at detecting the vendor, but hit-and-miss with version, when nmap displays detailed version info, that's probably because there was a banner. Of course, if you're trying to hack in, why bother trying to figure out version at all; once you know it's apache, why not just run all the apache exploit scripts from metasploit at it and see if any of them stick?



    So yes, in theory it's possible to write a specification for "Here's how all web servers MUST behave", but that means that you're not allowing web servers to ever innovate, or fix bugs. Moreover, web servers will want to differentiate themselves with features that other servers don't have.



    As pointed out by @TripeHound, version banners can be considered a win for security as they allow sysadmins to easily inventory their systems and keep them up to date.




    TL;DR: Banner or not, you can figure out what web server and OS you're talking to.




    Nmap Example



    Since this post got popular, I'll add and some examples:



    Apache httpd puts version info right in an HTTP header:



    HTTP/1.1 200 OK
    Date: Thu, 17 Oct 2019 14:26:10 GMT
    Server: Apache/2.4.6 (CentOS)


    and unsurprisingly, nmap picks this up:



     ~ nmap 192.168.56.107 -p 80 -A --version-all

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 07:58 EDT
    Nmap scan report for 192.168.56.107
    Host is up (0.0020s latency).

    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd 2.4.6 ((CentOS))
    | http-methods:
    |_ Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.6 (CentOS)
    |_http-title: Apache HTTP Server Test Page powered by CentOS

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds


    If we try something a bit trickier, Apache Tomcat does not give an obvious banner:



    HTTP/1.1 200 
    Accept-Ranges: bytes
    ETag: W/"1896-1527518937672"
    Last-Modified: Mon, 28 May 2018 14:48:57 GMT
    Content-Type: text/html
    Content-Length: 1896
    Date: Thu, 17 Oct 2019 14:35:05 GMT
    Connection: close

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>Apache Tomcat</title>
    </head>
    ...


    we see that nmap gets the vendor right, but does not have a guess at the version:



    ~ nmap -A -p 8080 192.168.56.1

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 10:34 EDT
    Nmap scan report for 192.168.56.1
    Host is up (0.0013s latency).

    PORT STATE SERVICE VERSION
    8080/tcp open http Apache Tomcat
    | http-methods:
    |_ Potentially risky methods: PUT DELETE
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-title: Apache Tomcat

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 21.71 seconds





    share|improve this answer






















    • 28





      The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

      – Ghedipunk
      Oct 16 at 20:03






    • 2





      While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

      – paj28
      Oct 17 at 14:00






    • 1





      I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

      – JimmyJames
      Oct 17 at 14:33











    • Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

      – Mike Ounsworth
      Oct 17 at 14:39











    • Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

      – pudelwudel
      Oct 17 at 20:17













    52















    52











    52









    Yes, in theory by advertising vendor and version in the banner makes an attacker's job easier, but like only a little bit.



    Even if you don't advertise it, it can be figured out from the behaviour of the app. Take for example, the network scanning tool nmap:




    Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.




    Source: wikipedia




    After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.




    Source: nmap documentation.



    Basically, nmap will start by trying to decide if it's apache / nginx / IIS, etc, which it will do by sending a specific packet to which it knows that the different web servers will respond differently. Then, once it knows that it's apache, it will send packets that target behaviours that have changed between one version and another, possibly because of a bug fix or because of a new feature.



    As noted by @paj28 in comments, nmap is quite good at detecting the vendor, but hit-and-miss with version, when nmap displays detailed version info, that's probably because there was a banner. Of course, if you're trying to hack in, why bother trying to figure out version at all; once you know it's apache, why not just run all the apache exploit scripts from metasploit at it and see if any of them stick?



    So yes, in theory it's possible to write a specification for "Here's how all web servers MUST behave", but that means that you're not allowing web servers to ever innovate, or fix bugs. Moreover, web servers will want to differentiate themselves with features that other servers don't have.



    As pointed out by @TripeHound, version banners can be considered a win for security as they allow sysadmins to easily inventory their systems and keep them up to date.




    TL;DR: Banner or not, you can figure out what web server and OS you're talking to.




    Nmap Example



    Since this post got popular, I'll add and some examples:



    Apache httpd puts version info right in an HTTP header:



    HTTP/1.1 200 OK
    Date: Thu, 17 Oct 2019 14:26:10 GMT
    Server: Apache/2.4.6 (CentOS)


    and unsurprisingly, nmap picks this up:



     ~ nmap 192.168.56.107 -p 80 -A --version-all

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 07:58 EDT
    Nmap scan report for 192.168.56.107
    Host is up (0.0020s latency).

    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd 2.4.6 ((CentOS))
    | http-methods:
    |_ Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.6 (CentOS)
    |_http-title: Apache HTTP Server Test Page powered by CentOS

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds


    If we try something a bit trickier, Apache Tomcat does not give an obvious banner:



    HTTP/1.1 200 
    Accept-Ranges: bytes
    ETag: W/"1896-1527518937672"
    Last-Modified: Mon, 28 May 2018 14:48:57 GMT
    Content-Type: text/html
    Content-Length: 1896
    Date: Thu, 17 Oct 2019 14:35:05 GMT
    Connection: close

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>Apache Tomcat</title>
    </head>
    ...


    we see that nmap gets the vendor right, but does not have a guess at the version:



    ~ nmap -A -p 8080 192.168.56.1

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 10:34 EDT
    Nmap scan report for 192.168.56.1
    Host is up (0.0013s latency).

    PORT STATE SERVICE VERSION
    8080/tcp open http Apache Tomcat
    | http-methods:
    |_ Potentially risky methods: PUT DELETE
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-title: Apache Tomcat

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 21.71 seconds





    share|improve this answer
















    Yes, in theory by advertising vendor and version in the banner makes an attacker's job easier, but like only a little bit.



    Even if you don't advertise it, it can be figured out from the behaviour of the app. Take for example, the network scanning tool nmap:




    Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features.




    Source: wikipedia




    After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.




    Source: nmap documentation.



    Basically, nmap will start by trying to decide if it's apache / nginx / IIS, etc, which it will do by sending a specific packet to which it knows that the different web servers will respond differently. Then, once it knows that it's apache, it will send packets that target behaviours that have changed between one version and another, possibly because of a bug fix or because of a new feature.



    As noted by @paj28 in comments, nmap is quite good at detecting the vendor, but hit-and-miss with version, when nmap displays detailed version info, that's probably because there was a banner. Of course, if you're trying to hack in, why bother trying to figure out version at all; once you know it's apache, why not just run all the apache exploit scripts from metasploit at it and see if any of them stick?



    So yes, in theory it's possible to write a specification for "Here's how all web servers MUST behave", but that means that you're not allowing web servers to ever innovate, or fix bugs. Moreover, web servers will want to differentiate themselves with features that other servers don't have.



    As pointed out by @TripeHound, version banners can be considered a win for security as they allow sysadmins to easily inventory their systems and keep them up to date.




    TL;DR: Banner or not, you can figure out what web server and OS you're talking to.




    Nmap Example



    Since this post got popular, I'll add and some examples:



    Apache httpd puts version info right in an HTTP header:



    HTTP/1.1 200 OK
    Date: Thu, 17 Oct 2019 14:26:10 GMT
    Server: Apache/2.4.6 (CentOS)


    and unsurprisingly, nmap picks this up:



     ~ nmap 192.168.56.107 -p 80 -A --version-all

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 07:58 EDT
    Nmap scan report for 192.168.56.107
    Host is up (0.0020s latency).

    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd 2.4.6 ((CentOS))
    | http-methods:
    |_ Potentially risky methods: TRACE
    |_http-server-header: Apache/2.4.6 (CentOS)
    |_http-title: Apache HTTP Server Test Page powered by CentOS

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds


    If we try something a bit trickier, Apache Tomcat does not give an obvious banner:



    HTTP/1.1 200 
    Accept-Ranges: bytes
    ETag: W/"1896-1527518937672"
    Last-Modified: Mon, 28 May 2018 14:48:57 GMT
    Content-Type: text/html
    Content-Length: 1896
    Date: Thu, 17 Oct 2019 14:35:05 GMT
    Connection: close

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>Apache Tomcat</title>
    </head>
    ...


    we see that nmap gets the vendor right, but does not have a guess at the version:



    ~ nmap -A -p 8080 192.168.56.1

    Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-17 10:34 EDT
    Nmap scan report for 192.168.56.1
    Host is up (0.0013s latency).

    PORT STATE SERVICE VERSION
    8080/tcp open http Apache Tomcat
    | http-methods:
    |_ Potentially risky methods: PUT DELETE
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-title: Apache Tomcat

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 21.71 seconds






    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited Oct 17 at 14:38

























    answered Oct 16 at 19:20









    Mike OunsworthMike Ounsworth

    43.3k15 gold badges110 silver badges151 bronze badges




    43.3k15 gold badges110 silver badges151 bronze badges










    • 28





      The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

      – Ghedipunk
      Oct 16 at 20:03






    • 2





      While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

      – paj28
      Oct 17 at 14:00






    • 1





      I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

      – JimmyJames
      Oct 17 at 14:33











    • Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

      – Mike Ounsworth
      Oct 17 at 14:39











    • Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

      – pudelwudel
      Oct 17 at 20:17












    • 28





      The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

      – Ghedipunk
      Oct 16 at 20:03






    • 2





      While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

      – paj28
      Oct 17 at 14:00






    • 1





      I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

      – JimmyJames
      Oct 17 at 14:33











    • Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

      – Mike Ounsworth
      Oct 17 at 14:39











    • Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

      – pudelwudel
      Oct 17 at 20:17







    28




    28





    The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

    – Ghedipunk
    Oct 16 at 20:03





    The banner can also be configured to lie, while fingerprinting based on behavior is a bit harder to mislead... I'd expect junior pen testers and script kiddies to be the only people who actually care about the banner.

    – Ghedipunk
    Oct 16 at 20:03




    2




    2





    While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

    – paj28
    Oct 17 at 14:00





    While nmap can determine the type of server quite reliably, the determining the version is very hit and miss

    – paj28
    Oct 17 at 14:00




    1




    1





    I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

    – JimmyJames
    Oct 17 at 14:33





    I get that you might be able to work it out indirectly but how reliably? One of my reoccurring annoyances is that vulnerability scanners keep 'finding' vulnerable Wordpress plugins running on our servers that don't even use PHP.

    – JimmyJames
    Oct 17 at 14:33













    Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

    – Mike Ounsworth
    Oct 17 at 14:39





    Thanks for the prompt @paj28. I've rolled in more info about the reliability of version detection.

    – Mike Ounsworth
    Oct 17 at 14:39













    Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

    – pudelwudel
    Oct 17 at 20:17





    Thanks for the detailed answer. I think the web servers out there could be providing unique features while still giving out as little information as possible. The could come in a very secure default configuration that only offers the standard set of features and additional features would have to be configured by the admin. As I also learned, the order of the header fields in the response can be used for fingerprinting (e.g. IIS and Apache order the fields differently as far as I remember). Obviously that is a point that could be easily fixed.

    – pudelwudel
    Oct 17 at 20:17













    28



















    Attackers just do not care. When you have a popular website, you find bots probing for every (vulnerable) version of phpmyadmin on every conceivable path, even when your site does not use a database at all. In the same manner, they probably probe for security holes in every version of, e.g., apache. Lying on or omitting the Server header does not buy you much security here.



    But when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched, what may prevent you from forgetting that you did not update, yet.



    Of course your concerns are valid, e.g., when somebody is gathering information and may manually sort out exploits, that would work when they knew the right version, but in most cases it is just security by obscurity. The important point is, that you should make sure to keep the software updated, so you do not need to care about an attacker knowing that you run the latest version.






    share|improve this answer




















    • 13





      "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

      – Luc
      Oct 17 at 8:57






    • 1





      If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

      – Luc
      Oct 17 at 12:24






    • 2





      It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

      – allo
      Oct 17 at 14:01






    • 1





      @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

      – Luc
      Oct 17 at 17:31







    • 2





      @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

      – JimmyJames
      Oct 17 at 17:48















    28



















    Attackers just do not care. When you have a popular website, you find bots probing for every (vulnerable) version of phpmyadmin on every conceivable path, even when your site does not use a database at all. In the same manner, they probably probe for security holes in every version of, e.g., apache. Lying on or omitting the Server header does not buy you much security here.



    But when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched, what may prevent you from forgetting that you did not update, yet.



    Of course your concerns are valid, e.g., when somebody is gathering information and may manually sort out exploits, that would work when they knew the right version, but in most cases it is just security by obscurity. The important point is, that you should make sure to keep the software updated, so you do not need to care about an attacker knowing that you run the latest version.






    share|improve this answer




















    • 13





      "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

      – Luc
      Oct 17 at 8:57






    • 1





      If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

      – Luc
      Oct 17 at 12:24






    • 2





      It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

      – allo
      Oct 17 at 14:01






    • 1





      @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

      – Luc
      Oct 17 at 17:31







    • 2





      @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

      – JimmyJames
      Oct 17 at 17:48













    28















    28











    28









    Attackers just do not care. When you have a popular website, you find bots probing for every (vulnerable) version of phpmyadmin on every conceivable path, even when your site does not use a database at all. In the same manner, they probably probe for security holes in every version of, e.g., apache. Lying on or omitting the Server header does not buy you much security here.



    But when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched, what may prevent you from forgetting that you did not update, yet.



    Of course your concerns are valid, e.g., when somebody is gathering information and may manually sort out exploits, that would work when they knew the right version, but in most cases it is just security by obscurity. The important point is, that you should make sure to keep the software updated, so you do not need to care about an attacker knowing that you run the latest version.






    share|improve this answer














    Attackers just do not care. When you have a popular website, you find bots probing for every (vulnerable) version of phpmyadmin on every conceivable path, even when your site does not use a database at all. In the same manner, they probably probe for security holes in every version of, e.g., apache. Lying on or omitting the Server header does not buy you much security here.



    But when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched, what may prevent you from forgetting that you did not update, yet.



    Of course your concerns are valid, e.g., when somebody is gathering information and may manually sort out exploits, that would work when they knew the right version, but in most cases it is just security by obscurity. The important point is, that you should make sure to keep the software updated, so you do not need to care about an attacker knowing that you run the latest version.







    share|improve this answer













    share|improve this answer




    share|improve this answer










    answered Oct 17 at 8:21









    alloallo

    2,8065 silver badges22 bronze badges




    2,8065 silver badges22 bronze badges










    • 13





      "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

      – Luc
      Oct 17 at 8:57






    • 1





      If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

      – Luc
      Oct 17 at 12:24






    • 2





      It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

      – allo
      Oct 17 at 14:01






    • 1





      @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

      – Luc
      Oct 17 at 17:31







    • 2





      @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

      – JimmyJames
      Oct 17 at 17:48












    • 13





      "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

      – Luc
      Oct 17 at 8:57






    • 1





      If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

      – Luc
      Oct 17 at 12:24






    • 2





      It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

      – allo
      Oct 17 at 14:01






    • 1





      @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

      – Luc
      Oct 17 at 17:31







    • 2





      @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

      – JimmyJames
      Oct 17 at 17:48







    13




    13





    "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

    – Luc
    Oct 17 at 8:57





    "when you're the admin, you can use the Server header to quickly identify, if the server is still unpatched" An administrator can look at the installed version on the system. That is not a reason to expose it to the whole internet.

    – Luc
    Oct 17 at 8:57




    1




    1





    If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

    – Luc
    Oct 17 at 12:24





    If I need to rely on external sources to see what is inside my network, I have bigger issues. And I also think blocking icmp is detrimental to the Internet.

    – Luc
    Oct 17 at 12:24




    2




    2





    It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

    – allo
    Oct 17 at 14:01





    It is a debugging tool. You're free to turn it off, but it is useful to have it in many cases, e.g. debugging problems, interpreting bug reports by users and many more. The question here was not about if you can update your webserver without needing a header that tells you its version, but about why webservers still send the header by default.

    – allo
    Oct 17 at 14:01




    1




    1





    @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

    – Luc
    Oct 17 at 17:31






    @JimmyJames That makes no sense. If a flaw is discovered, the next version fixes it. It is not always mentioned in changelogs, so you often can't rely on those to tell you when you really need to update. Purposefully running an old version is almost always worse. And when a flaw is discovered that only affects the latest version and was due to new code that was not in previous versions (this is exceptional), then a new version is released that fixes that code, and you don't have to revert, either. The latest version is generally the right choice for security.

    – Luc
    Oct 17 at 17:31





    2




    2





    @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

    – JimmyJames
    Oct 17 at 17:48





    @Luc Sometimes new releases introduce new flaws. When those flaws are discovered, there's not always a new release ready to go. I'm not sure what doesn't make sense about that.

    – JimmyJames
    Oct 17 at 17:48











    13



















    Historically, many servers returned headers like this:




    Server: Apache/2.4.1 (Unix) mod_php/1.2 mod_ssl/0.9




    This does give away a bit more information than you want, so most servers now default to headers like this:




    Server: Apache




    In fact, most web servers make it difficult to turn off this header. The reason? Marketing. They want to appear in surveys of what the most common web servers are.



    Regarding fingerprinting, a number of tools can quite reliably determine Apache vs NGINX vs IIS, etc. But fingerprinting the version of a server is much harder, open source tools do not do it well, and it is impossible with any granularity.






    share|improve this answer






















    • 2





      I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

      – Christopher Schultz
      Oct 18 at 19:24











    • @ChristopherSchultz - how exactly did you turn it off for Apache?

      – paj28
      Oct 19 at 11:24















    13



















    Historically, many servers returned headers like this:




    Server: Apache/2.4.1 (Unix) mod_php/1.2 mod_ssl/0.9




    This does give away a bit more information than you want, so most servers now default to headers like this:




    Server: Apache




    In fact, most web servers make it difficult to turn off this header. The reason? Marketing. They want to appear in surveys of what the most common web servers are.



    Regarding fingerprinting, a number of tools can quite reliably determine Apache vs NGINX vs IIS, etc. But fingerprinting the version of a server is much harder, open source tools do not do it well, and it is impossible with any granularity.






    share|improve this answer






















    • 2





      I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

      – Christopher Schultz
      Oct 18 at 19:24











    • @ChristopherSchultz - how exactly did you turn it off for Apache?

      – paj28
      Oct 19 at 11:24













    13















    13











    13









    Historically, many servers returned headers like this:




    Server: Apache/2.4.1 (Unix) mod_php/1.2 mod_ssl/0.9




    This does give away a bit more information than you want, so most servers now default to headers like this:




    Server: Apache




    In fact, most web servers make it difficult to turn off this header. The reason? Marketing. They want to appear in surveys of what the most common web servers are.



    Regarding fingerprinting, a number of tools can quite reliably determine Apache vs NGINX vs IIS, etc. But fingerprinting the version of a server is much harder, open source tools do not do it well, and it is impossible with any granularity.






    share|improve this answer
















    Historically, many servers returned headers like this:




    Server: Apache/2.4.1 (Unix) mod_php/1.2 mod_ssl/0.9




    This does give away a bit more information than you want, so most servers now default to headers like this:




    Server: Apache




    In fact, most web servers make it difficult to turn off this header. The reason? Marketing. They want to appear in surveys of what the most common web servers are.



    Regarding fingerprinting, a number of tools can quite reliably determine Apache vs NGINX vs IIS, etc. But fingerprinting the version of a server is much harder, open source tools do not do it well, and it is impossible with any granularity.







    share|improve this answer















    share|improve this answer




    share|improve this answer








    edited Oct 17 at 14:04

























    answered Oct 17 at 13:59









    paj28paj28

    29.3k4 gold badges79 silver badges116 bronze badges




    29.3k4 gold badges79 silver badges116 bronze badges










    • 2





      I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

      – Christopher Schultz
      Oct 18 at 19:24











    • @ChristopherSchultz - how exactly did you turn it off for Apache?

      – paj28
      Oct 19 at 11:24












    • 2





      I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

      – Christopher Schultz
      Oct 18 at 19:24











    • @ChristopherSchultz - how exactly did you turn it off for Apache?

      – paj28
      Oct 19 at 11:24







    2




    2





    I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

    – Christopher Schultz
    Oct 18 at 19:24





    I only have experience administering Apache httpd and Apache Tomcat servers. Both of those are astoundingly simply to change/remove the Server response header. nginx seems to have a similarly easy option to do so. So I'm not sure that "most web servers make it difficult to turn off this header" is accurate at all. Maybe "Microsoft IIS doesn't allow you to turn it off easily" is more accurate.

    – Christopher Schultz
    Oct 18 at 19:24













    @ChristopherSchultz - how exactly did you turn it off for Apache?

    – paj28
    Oct 19 at 11:24





    @ChristopherSchultz - how exactly did you turn it off for Apache?

    – paj28
    Oct 19 at 11:24











    5



















    As said, it's not a security issue to leave it, and it's a useful information for some client programs. Take curl for instance: it uses the Server header value to check if HTTP pipelining can be enabled:



    Taken from https://serverfault.com/a/596560/347610




    [curl shows this message when run in verbose mode -v]:



    * Server Apache/... is not blacklisted



    It is an internal message from curl.
    Seems to be part of a curl feature related to pipelining.




    See also https://daniel.haxx.se/blog/2013/03/26/better-pipelining-in-libcurl-7-30-0/




    a server blacklist [note: "based off the Server header"] that allows the application to specify a list of servers for which HTTP pipelining should not be attempted – real world tests has proven that some servers are too broken to be allowed to play the game




    Hence why it's still enabled by default, and is totally harmless (just keep your server up to date). It's somehow the server's version of User-Agent header.






    share|improve this answer

























    • I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

      – Luc
      Oct 17 at 18:29











    • If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

      – Christopher Schultz
      Oct 18 at 19:25











    • @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

      – Xenos
      Oct 19 at 11:50















    5



















    As said, it's not a security issue to leave it, and it's a useful information for some client programs. Take curl for instance: it uses the Server header value to check if HTTP pipelining can be enabled:



    Taken from https://serverfault.com/a/596560/347610




    [curl shows this message when run in verbose mode -v]:



    * Server Apache/... is not blacklisted



    It is an internal message from curl.
    Seems to be part of a curl feature related to pipelining.




    See also https://daniel.haxx.se/blog/2013/03/26/better-pipelining-in-libcurl-7-30-0/




    a server blacklist [note: "based off the Server header"] that allows the application to specify a list of servers for which HTTP pipelining should not be attempted – real world tests has proven that some servers are too broken to be allowed to play the game




    Hence why it's still enabled by default, and is totally harmless (just keep your server up to date). It's somehow the server's version of User-Agent header.






    share|improve this answer

























    • I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

      – Luc
      Oct 17 at 18:29











    • If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

      – Christopher Schultz
      Oct 18 at 19:25











    • @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

      – Xenos
      Oct 19 at 11:50













    5















    5











    5









    As said, it's not a security issue to leave it, and it's a useful information for some client programs. Take curl for instance: it uses the Server header value to check if HTTP pipelining can be enabled:



    Taken from https://serverfault.com/a/596560/347610




    [curl shows this message when run in verbose mode -v]:



    * Server Apache/... is not blacklisted



    It is an internal message from curl.
    Seems to be part of a curl feature related to pipelining.




    See also https://daniel.haxx.se/blog/2013/03/26/better-pipelining-in-libcurl-7-30-0/




    a server blacklist [note: "based off the Server header"] that allows the application to specify a list of servers for which HTTP pipelining should not be attempted – real world tests has proven that some servers are too broken to be allowed to play the game




    Hence why it's still enabled by default, and is totally harmless (just keep your server up to date). It's somehow the server's version of User-Agent header.






    share|improve this answer














    As said, it's not a security issue to leave it, and it's a useful information for some client programs. Take curl for instance: it uses the Server header value to check if HTTP pipelining can be enabled:



    Taken from https://serverfault.com/a/596560/347610




    [curl shows this message when run in verbose mode -v]:



    * Server Apache/... is not blacklisted



    It is an internal message from curl.
    Seems to be part of a curl feature related to pipelining.




    See also https://daniel.haxx.se/blog/2013/03/26/better-pipelining-in-libcurl-7-30-0/




    a server blacklist [note: "based off the Server header"] that allows the application to specify a list of servers for which HTTP pipelining should not be attempted – real world tests has proven that some servers are too broken to be allowed to play the game




    Hence why it's still enabled by default, and is totally harmless (just keep your server up to date). It's somehow the server's version of User-Agent header.







    share|improve this answer













    share|improve this answer




    share|improve this answer










    answered Oct 17 at 15:10









    XenosXenos

    1,2444 silver badges14 bronze badges




    1,2444 silver badges14 bronze badges















    • I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

      – Luc
      Oct 17 at 18:29











    • If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

      – Christopher Schultz
      Oct 18 at 19:25











    • @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

      – Xenos
      Oct 19 at 11:50

















    • I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

      – Luc
      Oct 17 at 18:29











    • If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

      – Christopher Schultz
      Oct 18 at 19:25











    • @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

      – Xenos
      Oct 19 at 11:50
















    I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

    – Luc
    Oct 17 at 18:29





    I did not know this was actually used by any software, I really thought the Server header was sent on every response just to be informative for the one-in-a-billion http responses seen by human eyes (or for statistics counting). Thanks for mentioning there is a practical reason to include a server header in the response!

    – Luc
    Oct 17 at 18:29













    If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

    – Christopher Schultz
    Oct 18 at 19:25





    If you remove the Server response header, it won't be blacklisted from curl's pipelining features...

    – Christopher Schultz
    Oct 18 at 19:25













    @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

    – Xenos
    Oct 19 at 11:50





    @ChristopherSchultz No, but if your server's version is in curl's blacklist, removing the Server header will make curl use pipelining while this server version support it wrong. Maybe some other web client use the same kind of scheme without stating so (or aren't in verbose mode), hence why leaving the Server header is a good idea (see RFC 7231 too).

    – Xenos
    Oct 19 at 11:50











    1



















    Because hiding version information is a weak security measure and a form of security through obscurity. The amount of security it adds is debatable, given that a) attackers can still fingerprint and probably determine your server, version and mods within a narrow margin of error and b) attackers can simply throw their whole library of exploits at you anyway.



    In most scenarios, all you do is add a bit of time and effort for the attacker. The only scenario where you actually win something is if an attacker prepares a large attack by scanning entire networks to focus his later attack only on servers found vulnerable (i.e. he wants to compromise as many sites as possible in as short a time as possible) and he doesn't use fingerprinting or it doesn't work reliably on your site.



    That's why turning off version information in production is one of those low-hanging fruits we usually do or advise simply because it does little harm and might do a little good, so why not?



    During development, not being able to check the version from outside can cause additional work (log in to system, check there with commandline tools), or may not even be possible because the devs can't directly access the server, so in development version numbers are usually not turned off.



    Your docker image does not know if it will be used for production or development. That's why it keeps version numbers on - it would do more harm in one setting than it does good in the other.






    share|improve this answer





























      1



















      Because hiding version information is a weak security measure and a form of security through obscurity. The amount of security it adds is debatable, given that a) attackers can still fingerprint and probably determine your server, version and mods within a narrow margin of error and b) attackers can simply throw their whole library of exploits at you anyway.



      In most scenarios, all you do is add a bit of time and effort for the attacker. The only scenario where you actually win something is if an attacker prepares a large attack by scanning entire networks to focus his later attack only on servers found vulnerable (i.e. he wants to compromise as many sites as possible in as short a time as possible) and he doesn't use fingerprinting or it doesn't work reliably on your site.



      That's why turning off version information in production is one of those low-hanging fruits we usually do or advise simply because it does little harm and might do a little good, so why not?



      During development, not being able to check the version from outside can cause additional work (log in to system, check there with commandline tools), or may not even be possible because the devs can't directly access the server, so in development version numbers are usually not turned off.



      Your docker image does not know if it will be used for production or development. That's why it keeps version numbers on - it would do more harm in one setting than it does good in the other.






      share|improve this answer



























        1















        1











        1









        Because hiding version information is a weak security measure and a form of security through obscurity. The amount of security it adds is debatable, given that a) attackers can still fingerprint and probably determine your server, version and mods within a narrow margin of error and b) attackers can simply throw their whole library of exploits at you anyway.



        In most scenarios, all you do is add a bit of time and effort for the attacker. The only scenario where you actually win something is if an attacker prepares a large attack by scanning entire networks to focus his later attack only on servers found vulnerable (i.e. he wants to compromise as many sites as possible in as short a time as possible) and he doesn't use fingerprinting or it doesn't work reliably on your site.



        That's why turning off version information in production is one of those low-hanging fruits we usually do or advise simply because it does little harm and might do a little good, so why not?



        During development, not being able to check the version from outside can cause additional work (log in to system, check there with commandline tools), or may not even be possible because the devs can't directly access the server, so in development version numbers are usually not turned off.



        Your docker image does not know if it will be used for production or development. That's why it keeps version numbers on - it would do more harm in one setting than it does good in the other.






        share|improve this answer














        Because hiding version information is a weak security measure and a form of security through obscurity. The amount of security it adds is debatable, given that a) attackers can still fingerprint and probably determine your server, version and mods within a narrow margin of error and b) attackers can simply throw their whole library of exploits at you anyway.



        In most scenarios, all you do is add a bit of time and effort for the attacker. The only scenario where you actually win something is if an attacker prepares a large attack by scanning entire networks to focus his later attack only on servers found vulnerable (i.e. he wants to compromise as many sites as possible in as short a time as possible) and he doesn't use fingerprinting or it doesn't work reliably on your site.



        That's why turning off version information in production is one of those low-hanging fruits we usually do or advise simply because it does little harm and might do a little good, so why not?



        During development, not being able to check the version from outside can cause additional work (log in to system, check there with commandline tools), or may not even be possible because the devs can't directly access the server, so in development version numbers are usually not turned off.



        Your docker image does not know if it will be used for production or development. That's why it keeps version numbers on - it would do more harm in one setting than it does good in the other.







        share|improve this answer













        share|improve this answer




        share|improve this answer










        answered Oct 19 at 5:42









        TomTom

        6,97310 silver badges40 bronze badges




        6,97310 silver badges40 bronze badges































            draft saved

            draft discarded















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219703%2fwhy-do-some-web-servers-still-provide-information-on-vendor-and-version-in-the-h%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown









            Popular posts from this blog

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單