Turn off Apache directory listings and version banners
apache2.conf / httpd.conf<Directory /var/www/html> Options -Indexes +FollowSymLinks</Directory>
ServerTokens ProdServerSignature OffDirectory listings are the real item here
Section titled “Directory listings are the real item here”When a directory has no index file, mod_autoindex generates a browsable
listing of everything in it. That is a genuine disclosure, and it is a
qualitatively different thing from the version banner below it on this page.
What tends to be in those directories:
/uploads/— every file your users uploaded, enumerable./backup/,/old/,/tmp/—database.sql.bak,config.php.old,.env.backup. Files nobody linked to but everybody can now find./.git/— if the repository was deployed, the listing hands over the whole source history including secrets that were committed and later “removed”.
None of those require a bug. Apache is doing its job: you asked for a directory, there was no index, here’s what’s in it.
Options -Indexes turns it off. Better still, disable the module, so the
directive is belt and braces rather than the only thing standing between a visitor
and your file list:
sudo a2dismod autoindexServerTokens is obscurity, and worth saying so
Section titled “ServerTokens is obscurity, and worth saying so”ServerTokens ProdThat changes Server: Apache/2.4.68 (Debian) to Server: Apache. It removes the
version and the OS. It does not remove the Server header, and it does not
hide that you’re running Apache.
The narrow, real benefit: mass scanners match on version strings. A bot working through the internet for hosts vulnerable to a specific CVE reads the banner and moves on if it doesn’t match. Removing the version drops you out of that bucket.
It buys nothing against anyone who has decided to look at you — response fingerprinting identifies Apache and narrows the version anyway.
And the important part: the version number is not the vulnerability. On 2.4.68
you’re patched whether or not anyone knows. On 2.4.66 you have
a remotely reachable double-free and hiding the banner does not unpatch
the attacker. This is housekeeping, not a control — which is why the whole page is
medium and it’s the listings half carrying that rating.
ServerSignature Off removes the version footer Apache appends to its own error
pages. Same category, same value.
Options is all-or-nothing per directory
Section titled “Options is all-or-nothing per directory”A subtlety that bites: Options does not merge. If a directory specifies any
Options without + or -, it replaces the inherited set entirely rather
than adding to it.
<Directory /var/www/html> Options -Indexes +FollowSymLinks</Directory><Directory /var/www/html/app> Options FollowSymLinks # replaces — and -Indexes is now gone</Directory>That second block has silently re-enabled indexes for /app, because a bare
Options FollowSymLinks discards the parent’s -Indexes. Always use + and
-, never a bare list, and Apache will merge rather than replace.
This is Apache’s version of nginx’s add_header trap — different directive, same
shape of surprise.
Related
Section titled “Related”- Disable unused modules — removing mod_autoindex entirely.
- Keep Require all denied — the block where
Options Nonelives.