Apache Server-Status Detected
Description
The Apache server-status page is an administrative interface that provides real-time performance metrics and diagnostic information about the web server. When publicly accessible, this endpoint exposes detailed operational data including active connections, server uptime, request statistics, and potentially sensitive configuration details. This feature is often enabled by default or left configured without proper access restrictions.
Remediation
Disable the server-status functionality if it is not actively required for monitoring purposes. To remediate, locate the <Location /server-status> directive in your Apache configuration file (typically httpd.conf or apache2.conf) and comment it out or remove it entirely:
# <Location /server-status> # SetHandler server-status # Require host example.com # </Location>
If server-status is required for legitimate monitoring, restrict access to trusted IP addresses or internal networks only:
<Location /server-status>
SetHandler server-status
Require ip 192.168.1.0/24
Require ip 10.0.0.5
</Location>After making changes, validate the configuration with
apachectl configtest and restart Apache to apply the changes.