Apache Profile
Find out how the presence of Apache is fingerprinted, associated security risks, and recommended configurations.
What is Apache?
The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0.
Security and Vulnerability Footprint
Apache is highly modular. Security risks stem from obsolete modules (e.g. mod_cgi vulnerabilities), directory listing exposure (indexes on paths lacking index.html), and public version banners.
Defensive Best Practices
Hard-configure 'ServerTokens ProductOnly' and 'ServerSignature Off' to hide the server version details. Explicitly disable directory listings by removing 'Indexes' from the 'Options' directive.
Frequently Asked Questions
How is Apache detected on a website?
Apache is detected by the 'Server: Apache' response header, and sometimes via unique default file icons or directory listing layouts.
How do I disable version listings in Apache?
Add 'ServerTokens ProductOnly' and 'ServerSignature Off' to your main configuration file (e.g., httpd.conf or apache2.conf).
What is the security risk of Apache directory listing?
If Directory Indexes are enabled, attackers can browse files in directories that do not contain an index file, potentially exposing source code, config files, or backup archives.