Apache Server-Info Detected
Description
The Apache server-info handler is enabled and publicly accessible on this web server. This module provides detailed information about the Apache server's configuration, including loaded modules, directives, and server settings. While useful for administrators during development or troubleshooting, exposing this information to unauthorized users creates an unnecessary security risk.
Remediation
Disable the server-info handler if it is not actively required for legitimate administrative purposes. To remediate this issue:
1. Open your Apache configuration file (typically httpd.conf or apache2.conf)
2. Locate the <Location /server-info> section
3. Comment out or remove the entire section:
# <Location /server-info> # SetHandler server-info # Require host example.com # </Location>
4. If server-info is required, restrict access to trusted IP addresses or internal networks only:
<Location /server-info>
SetHandler server-info
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</Location>5. Restart Apache to apply the changes:
sudo systemctl restart apache2 or sudo apachectl restart6. Verify the change by attempting to access /server-info and confirming it returns a 403 Forbidden or 404 Not Found response.