Enhancement: Harden default reverse proxy configuration to not send it's name and version number to the client.

contrib/apache2/zammad.conf

@@ -6,6 +6,9 @@
     # replace 'localhost' with your fqdn if you want to use zammad from remote
     ServerName localhost
 
+    # security - prevent information disclosure about server version
+    ServerTokens Prod
+
     ## don't loose time with IP address lookups
     HostnameLookups Off
 

contrib/apache2/zammad_ssl.conf

@@ -9,6 +9,10 @@
 
 <VirtualHost *:80>
     ServerName example.com
+
+    # security - prevent information disclosure about server version
+    ServerTokens Prod
+
     Redirect permanent / https://example.com
 </VirtualHost>
 
@@ -25,6 +29,9 @@
     # replace 'localhost' with your fqdn if you want to use zammad from remote
     ServerName localhost
 
+    # security - prevent information disclosure about server version
+    ServerTokens Prod
+
     ## don't loose time with IP address lookups
     HostnameLookups Off
 

contrib/nginx/zammad.conf

@@ -16,6 +16,9 @@ server {
     # replace 'localhost' with your fqdn if you want to use zammad from remote
     server_name localhost;
 
+    # security - prevent information disclosure about server version
+    server_tokens off;
+
     root /opt/zammad/public;
 
     access_log /var/log/nginx/zammad.access.log;

contrib/nginx/zammad_ssl.conf

@@ -21,6 +21,9 @@ server {
 
   server_name example.com;
 
+  # security - prevent information disclosure about server version
+  server_tokens off;
+
   access_log /var/log/nginx/zammad.access.log;
   error_log /var/log/nginx/zammad.error.log;
 
@@ -38,6 +41,9 @@ server {
 
   server_name example.com;
 
+  # security - prevent information disclosure about server version
+  server_tokens off;
+
   ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem;
   ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem;