Changing Your Server Headers Using Varnish

Changing one’s server headers is both practical and fun. It’s a good idea to remove information that could help an attacker, and it’s also enjoyable to put interesting values in there and see who notices.

There are tons of ways of doing this, based on the server you use, but here’s a way to do it with Varnish.

Editing default.vcl

In Varnish, your default.vcl file contains the rules that govern your server responses. The vcl_deliver section further defines what goes out to clients.

By adjusting this section you can strip the values that were set by your backend web server, and substitute your own:

sub vcl_deliver {
remove resp.http.Via;
remove resp.http.X-Whatever;
remove resp.http.X-Powered-By;
remove resp.http.X-Varnish;
remove resp.http.Age;
remove resp.http.Server;
set resp.http.Server = "TFE";
set resp.http.X-Powered-By = "Curiosity";
}

As you can see, it’s pretty simple syntax: you remove the ones you don’t want via “remove”, and add the new ones via “set”. Then just run curl -I to view the new headers:

curl -I http://yoursite.com

That’s it!

Many thanks to Twitter to letting me run a copy of TFE for my site. 😉

Related posts:

1. A Chromium-based Command-line Alternative to Curl

2. A @TomNomNom Recon Tools Primer

3. Some of My Favorite Shell Aliases From Over the Years