Need to set ServerSignature and ServerTokens apache server configuration parameters with Rails applications?

Question

Need to set ServerSignature and ServerTokens apache server configuration parameters with Rails applications?

I ran into something in one of my books with rails, which said that I should install

ServerSignature Off ServerTokens Prod

to disable apache from displaying server information during application creation. It's necessary? The only error message I see in prod is the standard error message for creating Rails. I never see server information.

Are there any other security related apache configuration options that I need to set?

+4

security ruby-on-rails apache-config

Tony Jul 13 '09 at 1:23

source share

1 answer

ae. · Answer 1 · 2009-07-13T02:14:37+0000

This is not necessary, but recommended. By showing your server signature and full server tokens, you are providing potential hackers with an easier way to determine how to hack your system. For example, with ServerSignature on and a full ServerToken, the hacker will know exactly which OS (including version) and server technology you are using.

Example. With a full set of ServerToken you can get:

Apache / 2.2.8 (Ubuntu) PHP / 5.2.4-2ubuntu5 with Suhosin-Patch Server

With its installation on prod you only get

Apache

This slicehost article gives a good overview of how to approach serverSignature and serverTokens.

Need to set ServerSignature and ServerTokens apache server configuration parameters with Rails applications?

More articles: