Server Signature

Discussion in 'Install/Configuration' started by kanderson, May 15, 2009.

  1. kanderson

    kanderson New Member

    I'm running Litespeed Web Server Enterprise v4.0.3 and have the Server Signature set to Hide Full Header. After restarting, when viewing a directory listing, the signature still appears:

    Proudly Served by LiteSpeed Web Server at 127.0.0.1 Port 80

    Am I missing something? There should be nothing showing up, or is that what you guys consider hiding the signature?
  2. auser

    auser Super Moderator

    you can edit $SERVER_ROOT/share/autoindex/default.php to change it.

    The "Server Signature" is used to configure the "Server" value in every http response header. Can check it through firebug:

    in this example, configure this line:
    Server: LiteSpeed
  3. kanderson

    kanderson New Member

    Ah, thank you very much, auser!
  4. kanderson

    kanderson New Member

    Ok, well while editing that file allows you to remove the closing line, I noticed that upon visiting a 403 page (for example, trying to view the contents of the cgi-bin), you get a full server signature again, complete with a link back to LiteSpeed.

    The setting in the admin web panel should really disable this globally and completely remove the server signature, similar to how Apache has options for ServerSignature (Off, On, Email) and ServerTokens (ProductOnly, Minimal, OS, Full).

    Since I'm more familiar with Apache, I'm used to more of the options available for securing a server for PCI compliancy, mainly the server signature/tokens, trace/track options, and handling of ciphers (which I found out how to do I believe).

    Just wish it was more convenient to do through the admin panel rather than editing a file everytime (that I imagine will be overwritten when upgraded), especially when there's hundreds of environments to go through and update this for.
  5. mistwang

    mistwang LiteSpeed Staff

    add your own 403 page.

Share This Page