Protecting Apache by removing version signatures and Server info

Hey Guys

If you run a website or blog and you are in charge of the server such as on a VPS  you might not want to let everyone know what version of apache or Linux you are running on.

this gives potential attackers information that can use to attack your site. For example, if an attacker browses your site and receives a message saying that apache 2.4.x has encountered a problem then the attacker knows what exact version of apache you are running they can then check against things like http://vuldb.com  to find vulnerabilities.

Especially if you are running an outdated version that may be buggy  But we are always running the latest code right so we need not worry ???

LOL we know that’s not always the case as patching systems still is a problem for many  organizations

keeping up to date with things like patching is the single most important thing you can do for your systems.


So what can we do the reduce the information we send from our webserver. see below


Default behavior

By default  when you surf to a page that is running apache you can use your browser’s developer tools (usually by pressing F11)  to see the HTTP responses from the given server see below

We see the Server HTTP header that shows we are running apache 2.4.6 on a centos operating system

timeout=5, max=98
Thu, 16 Oct 2014 13:20:58 GMT
Apache/2.4.6 (CentOS) PHP/7.2.20


A quick search on vulndb.com shows the following exploits related to apache 2.4 now granted that doesn’t mean you’re in you still need the expertise to apply these exploits but the point is we now have information that the site willingly gives up ! yay for hackers Doh for admins!




Ok, let’s fix it! so the fix is dead simple all you need to do is add the following lines to your httpd.conf or apache2.conf file depending on what OS you are using


For Debian/Ubuntu

use your text editor and edit /etc/apache2/apache2.conf

add the following lines to the bottom

ServerSignature Off
ServerTokens Prod

For Centos/RHEL


Now reload your apache service


systemctl restart apache2


systemctl restart httpd

And now go back to the page and reload while checking the headers you should see the following response

timeout=5, max=100
Thu, 16 Oct 2014 13:20:58 GMT

As you can see all the information that is given out now is simply apache, not the version and not the underlying OS

See simple and helpful no need to give out more info than we need to!


You can also see my video on this below




1 thought on “Protecting Apache by removing version signatures and Server info

  1. Hi,
    I suggest set expose_php = Off in php.ini too. Without this anyone can easily find out PHP version:
    lynx -head https://url
    HTTP/1.1 200 OK
    Date: Wed, 15 Sep 2021 06:07:42 GMT
    Server: Apache
    X-Powered-By: PHP/7.4.8

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.