Skip to content

Protect or disable Apache server-status

Severity: highApplies to: Apache httpd 2.4.xApplies to: Apache httpd 2.4.68
The fix
Terminal window
# Best: if nothing scrapes it, remove the module entirely
sudo a2dismod status

If something does scrape it, restrict it rather than leaving it open:

<Location /server-status>
SetHandler server-status
Require local
Require ip 10.0.1.5
</Location>
ExtendedStatus Off

/server-status is not a health check. It is a live operational dashboard, and it publishes:

  • Every request currently being served — the full URL, including query strings and anything else in the path.
  • Client IP addresses for those requests.
  • Every vhost the server hosts, which enumerates your internal hostnames.
  • Uptime, worker state, request rates, and the server version.

With ExtendedStatus On — which mod_status enables by default in some packagings — you get the full request line for every worker. That means session tokens, password reset links, API keys and anything else people put in query strings appear on the page, live, to whoever loads it.

Scanners look for this path continuously and it is trivially findable. It is one of the most reliably productive URLs on the internet for reconnaissance.

The default Debian status.conf uses:

<Location /server-status>
SetHandler server-status
Require local
</Location>

Require local allows 127.0.0.1, ::1, and the server’s own IP addresses. That is usually fine — but note two things:

Behind a reverse proxy or load balancer, every request appears to come from the proxy. If the proxy is on the same host, or if mod_remoteip is not configured, Require local may match traffic that originated anywhere. A proxied /server-status request can pass a Require local check that was never meant to allow it.

Require local is not Require ip 127.0.0.1. If you want strictly loopback, say so.

The safest position is that the module isn’t loaded. The second safest is an explicit IP allow-list plus ExtendedStatus Off.

While you’re here:

Terminal window
sudo a2dismod info

mod_info serves /server-info, which is your entire parsed configuration — every module, every directive, every vhost, every path. There is no production scenario where that should be reachable. It is less common than mod_status and strictly more damaging.