Last updated on June 14th, 2024 at 09:47 am
ETags are useful response headers that allow web servers to identify specific version of resource such as files, images & videos. They help improve server performance and network bandwidth. But they can cause security issues for some websites, if not used properly. In some cases, you may even need to remove etag completely. In this article, we will look at how to disable ETags in Apache server.
What is ETag?
ETag is a server response header that allows browsers to make conditional requests and perform cache validation efficiently. They are resource identifiers added by servers on website’s resources such as files, images, videos and more. This allows them to cache content more efficiently and save network bandwidth. For example, a server need not send full response correctly if the content has not changed. On the other hand, it poses security risks in case it gets leaked by your code, and can result in cache poisoning attack on your website. So it is better to disable ETag if your website does not need it.
How To Disable ETags in Apache Server
It is very easy to disable ETag in Apache server. We will need to use mod_rewrite module for this purpose.
1. Open .htaccess
Before proceeding, please enable mod_rewrite (.htaccess) in your Apache web server. Open .htaccess file, typically located at /var/www/html/.htaccess
$ sudo vi /var/www/html/.htaccess
Please note, you can also make the following changes in your server’s main configuration file at /etc/apache2/apache2.conf. But in many cases, the site administrator may not have access to main configuration file. Also, it is risky to modify this file unless absolutely necessary. Therefore, we strongly recommend enabling mod_rewrite on your Apache server and use .htaccess file for this purpose. Nevertheless, in the next step, we have described both ways to solve this problem – using .htaccess file as well as using configuration file.
2. Disable ETag header
Using .htaccess
Add the following two lines to your .htaccess file
<IfModule mod_headers.c>Header unset ETag</IfModule>FileETag None
The above line uses Header Apache directive. Header unset basically removes the specific header. In our case, we want to remove ETag header so we add ‘Header unset Etag’. The FileEtag directive is used to create Etag response header when the response is due to a static file. We need to turn this off too.
To re-enable ETag header just remove or comment the above lines.
Using Apache Configuration
If you have decided to modify your Apache configuration file instead of using .htaccess, then look for the Directory block for your site’s web document root. Add ‘FileTag None’ directive to it.
<Directory ...>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
FileETag None
</Directory>
Save and close the file.
3. Restart Apache web server
Restart Apache web server to apply changes.
# service httpd restart OR # systemctl restart httpd OR # sudo service apache2 restart
Use a third-party tool to check if your server response still contains ETag header.
Conclusion
ETags are very handy for large websites that have many users and serve a large amount of content. ETags can make your server cache more efficient by clearly identifying each version of every resource and serving only that aspects of response that have been updated. If the resource is not updated, the cache will serve it thereby improving website performance and reducing network bandwidth. However, this can pose a security problem in some cases, such as if a website uses shared cache. Therefore, use it only if you absolutely need it. Otherwise, disable Etag on your site using the above steps.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it today!
Also read :
How to Fix 414 Request URI too large
Apache Restrict Access to URL by IP
Enable Multi-Factor Authorization in AWS
How to Enable HTTP2 in Apache
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.