ConfigServer Community Forum

Latest version of CSF warns about ServerSignature and ServerTokens when settings are On and non-ProductOnly respectively. However for ModSecurity SecServerSignature setting ServerTokens directive must be full. Could CSF take this into account?

csfusr wrote:Latest version of CSF warns about ServerSignature and ServerTokens when settings are On and non-ProductOnly respectively. However for ModSecurity SecServerSignature setting ServerTokens directive must be full. Could CSF take this into account?

This is not an issue for ModSecurity.
Why you said so?

If you go to your modsec configuration files set the following command:

SecServerSignature Apache

this way ModSecurity will only display what you have set on your ServerSignature.

IMO This is not a suggestion issue.

Regards,

Sergio

I think I did not phrase well.

To use ModSecurity SecServerSignature setting, Apache ServerTokens directive must be set to Full. But when ServerTokens directive is set to Full, and ServerSignature to On, CSF gives warnings.

CSF warnings are justified if those two directives are in use without the use of ModSecurity's SecServerSignature, but not when their only purpose is to enable the use of SecServerSignature of ModSecurity.

csfusr wrote:I think I did not phrase well.

To use ModSecurity SecServerSignature setting, Apache ServerTokens directive must be set to Full. But when ServerTokens directive is set to Full, and ServerSignature to On, CSF gives warnings.

CSF warnings are justified if those two directives are in use without the use of ModSecurity's SecServerSignature, but not when their only purpose is to enable the use of SecServerSignature of ModSecurity.

As I said in my post, you don't have to set "SecServerSignature on" you have to change this to "SecServerSignature apache", doing the "apache" instead of "on" you don´t need to have Apache ServerTokens to full, you can set this to the PCI Compliant and you will not have any errors at all.

Sergio.