How to Hide Apache Server Version


hide apache server version

By default, while serving requests, Apache sends some additional information such as server number, operating system, installed Apache modules and more. This gives attackers an opportunity to exploit server vulnerabilities and get access to your web server. An easy way to prevent this is to simply hide Apache Server Version information in your server responses. Let us look at how to hide Apache Server version to protect your server.

 

How to Hide Apache Server Version

We will see how to hide showing web server information, using 2 Apache server directives.

 

ServerSignature

ServerSignature directive allows you to add a footer line with information such as server name and version name, to server-generated documents such as error messages, mod_info output and mod_proxy, ftp directory listings.

It has 3 possible values:

  • On – Allows addition of footer to server-generated documents.
  • Off – Disable the footer line
  • EMail – created an email (mailto:) link

So keep ServerSignature Off in your server’s conf file.

 

ServerTokens

It decides if the server response header should have the server description, OS type and information about Apache modules.


ServerTokens Full (or not specified)
Info sent to clients: Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2

ServerTokens Prod[uctOnly]
Info sent to clients: Server: Apache

ServerTokens Major
Info sent to clients: Server: Apache/2

ServerTokens Minor
Info sent to clients: Server: Apache/2.4

ServerTokens Min[imal]
Info sent to clients: Server: Apache/2.4.2

ServerTokens OS
Info sent to clients: Server: Apache/2.4.2 (Unix)

ServerTokens also controls the information present in ServerSignature footer.

 

How to Hide Apache Server Version

Open Apache’s server configuration file in a text editor:


$ sudo vi /etc/apache2/apache2.conf #Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf #RHEL/CentOS systems

 

Look for the lines starting with ServerSignature and ServerTokens and edit them as shown below. If you can’t find them, add them.


ServerTokens Prod
ServerSignature Off

 

Save and close the file. Restart Apache to apply changes


$ sudo systemctl restart apache2 #SystemD
$ sudo service apache2 restart #SysVInit

 

Now open web browser and go to a page (e.g error page) that was showing footer signature. Also check its response header. You’ll see that neither the footer is present, nor the server version in the response header.

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!