How to Remove Server Header Using mod_security in Apache


remove server header using mod_security in apache

By default, Apache displays the server name, version and other additional information whenever it serves requests. This can provide malicious visitors an opportunity to understand your technology and exploit its vulnerabilities.

 

How to Remove Server Header Using mod_security in Apache

Here are the steps to remove server header using mod_security module in Apache. Open a terminal session or SSH into your Linux system

 

1. Update Apache

First, update Apache web server and instal mod_security


# apt-get update
# apt-get install libapache-mod-security

 

2. Enable mod_security

Enable mod_security in Apache


# a2enmod mod-security

You’ll see the following message


Module mod-security already enabled

 

3. Configure mod_security

Open config file for mod_security in a text editor


# vi /etc/apache2/conf.d/security

 

Search for the line beginning with ServerTokens and change it to


ServerTokens Full

 

Next, look for the line beginning with SecServerSignature and change it to any server name you want, given below in bold. For example,

SecServerSignature Just_Another_HTTP_Server

 

4. Reload Apache configuration

Reload Apache configuration to apply changes


# /etc/init.d/apache2 reload

 

That’s it! You have removed server header using mod_security in Apache.

 

5. Test the configuration

Open a web browser and go to a page that doesn’t exist on your domain (e.g example.com) such as www.example.com/xyz

Apache will show the default “404:page not found” page but without any server information on it.

 

 

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!