id: file-disable-server-header

info:
  name: Disable Apache2 Server Header
  author: pussycat0x
  severity: medium
  description: |
    Ensures that 'ServerTokens Prod' and 'ServerSignature Off' are correctly set in Apache to prevent server information leakage.
  remediation: |
    Set 'ServerTokens Prod' and 'ServerSignature Off' in Apache configuration and restart the service.
  reference:
    - https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
    - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
  metadata:
    verified: true
  tags: audit,config,file,apache,hardening

file:
  - extensions:
      - conf

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<Directory"
          - "<FilesMatch"
        condition: and

      - type: word
        words:
          - "ServerTokens Prod"
          - "ServerSignature Off"
        condition: and
        negative: true
# digest: 4a0a00473045022069c695bf78d378721446f01071fb8472f9be65761bc798e04b782bf32ab0d17a022100e0ef287a95163f2ee1e8b3df27c7990a02da468ecd4cd4890c549ab13e28c4ae:922c64590222798bb761d5b6d8e72950