September 25, 2013 | Read Online

Changing Your Server Headers Using Varnish

Changing one’s server headers is both practical and fun. It’s a good idea to remove information that could help an attacker, and it’s also enjoyable to put interesting values in there and see who notices.

There are tons of ways of doing this, based on the server you use, but here’s a way to do it with Varnish.

Editing default.vcl

In Varnish, your default.vcl file contains the rules that govern your server responses. The vcl_deliver section further defines what goes out to clients.

By adjusting this section you can strip the values that were set by your backend web server, and substitute your own:

vcl

sub vcl_deliver {
    remove resp.http.Via;
    remove resp.http.X-Whatever;
    remove resp.http.X-Powered-By;
    remove resp.http.X-Varnish;
    remove resp.http.Age;
    remove resp.http.Server;
    set resp.http.Server = "TFE";
    set resp.http.X-Powered-By = "Curiosity";
}

As you can see, it’s pretty simple syntax: you remove the ones you don’t want via “remove”, and add the new ones via “set”. Then just run curl -I to view the new headers:

bash

curl -I http://yoursite.com

That’s it!

Many thanks to Twitter to letting me run a copy of TFE for my site. 😉

A Chromium-based Command-line Alternative to Curl
A @TomNomNom Recon Tools Primer
Some of My Favorite Shell Aliases From Over the Years

Changing Your Server Headers Using Varnish ​

Editing default.vcl ​

Related posts: ​

Changing Your Server Headers Using Varnish

Editing default.vcl

Related posts: