From cb5cf5466c2308f3762904679f0e562a3c7dde14 Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Tue, 29 Jul 2025 12:16:15 +0100
Subject: [PATCH] apache: Set minimal ServerTokens and disable ServerSignature

---
 cookbooks/apache/recipes/default.rb                | 4 ++++
 cookbooks/apache/templates/default/tokens.conf.erb | 7 +++++++
 2 files changed, 11 insertions(+)
 create mode 100644 cookbooks/apache/templates/default/tokens.conf.erb

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index a17e2f4cb..20b74115d 100644
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -72,6 +72,10 @@ apache_module "status" do
   variables :hosts => admins["hosts"]
 end
 
+apache_conf "tokens" do
+  template "tokens.conf.erb"
+end
+
 if node[:apache][:evasive][:enable]
   apache_module "evasive" do
     conf "evasive.conf.erb"
diff --git a/cookbooks/apache/templates/default/tokens.conf.erb b/cookbooks/apache/templates/default/tokens.conf.erb
new file mode 100644
index 000000000..bc05c9494
--- /dev/null
+++ b/cookbooks/apache/templates/default/tokens.conf.erb
@@ -0,0 +1,7 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+# Hide server version on error pages
+ServerSignature Off
+
+# Only return Apache in server header
+ServerTokens Prod
-- 
2.39.5