Last updated on October 17, 2020 by Dan Nanni
Revealing web server signature with server/PHP version info can be a security risk as you are essentially telling attackers known vulnerabilities of your system. Thus it is recommended you disable all web server signatures as part of server hardening process.
Disabling Apache web server signature can be achieved by editing Apache config file.
$ sudo vi /etc/apache2/apache2.conf
$ sudo vi /etc/httpd/conf/httpd.conf
Add the following two lines at the end of Apache config file.
ServerSignature Off ServerTokens Prod
Then restart web server to activate the change:
$ sudo service apache2 restart (Ubuntu, Debian or Linux Mint) $ sudo service httpd restart (CentOS/RHEL 6) $ sudo systemctl restart httpd.service (Fedora, CentOS/RHEL 7, Arch Linux)
The first line that says
ServerSignature Off makes Apache2 web server hide Apache version info on any error pages.
However, without the second line
ServerTokens Prod, Apache server will still include a detailed server token in HTTP response headers, which reveals Apache version number.
What the second line
ServerTokens Prod does is to suppress a server token in HTTP response headers to a bare minimal.
So with both lines in place, Apache will not reveal Apache version info in either web pages or HTTP response headers.
Another potential security threat is PHP version info leak in HTTP response headers. By default, Apache web server includes PHP version info via
X-Powered-By field in HTTP response headers. If you want to hide PHP version in HTTP headers, open
php.ini file with a text editor, look for
expose_php = On, and change it to
expose_php = Off.
$ sudo vi /etc/php5/apache2/php.ini
$ sudo vi /etc/php.ini
expose_php = Off
Finally, restart Apache2 web server to reload updated PHP config file.
Now you will no longer see
X-Powered-By field in HTTP response headers.
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.