How to hide Apache version in HTTP headers

  • Last update: Apr 3, 2024
  • Views: 62
  • Author: Admin
How to hide Apache version in HTTP headers
WE ARE ON YOUTUBE

Hello colleagues.

In this article, we will talk about how to hide Apache web server version in HTTP headers.

At the moment when a user sends a request to your Apache web server, then in response Apache sends some confidential information to the user in HTTP headers, such as the version number of the Apache web server, short information about the server operating system, installed Apache modules, etc. Displaying the Apache version in the HTTP header is a security risk for your site. This information may well be enough for attackers to exploit vulnerabilities and gain access to your Apache web server.

To reduce the likelihood of your web server being hacked and to reduce attacks on your site, this information must be hidden in order to deprive the attacker of information about the version of your web server, and about the platform as a whole.

 

By default, the Apache web server sends the Apache version number and a short information about the server's operating system to the user.

apache hide version

As you can see from the example, Apache sends a header called Server from confidential information. This information contains the version of our web server and the name of the operating system.

 

To hide the version number of the web server and information about the operating system of the server, you need to add two directives to the configuration file of the Apache web server. The directives are named ServerTokens and ServerSignature.

  • ServerSignature is a directive that allows you to add a footer string that displays the server name and version number of the web server.
  • ServerTokens is a directive that is also responsible for displaying the version number of the web server.

 

Open the Apache web server configuration file.

Debian/Ubuntu

$. sudo vi /etc/apache2/apache2.conf

RHEL/CentOS

$. sudo vi /etc/httpd/conf/httpd.conf

 

These two directives need to be added to the configuration file.

ServerTokens Prod
ServerSignature Off

 

After we have added the directives, we now need to restart the Apache web server using the following command:

Debian/Ubuntu

$. sudo service apache2 restart

RHEL/CentOS

$. sudo service httpd restart

 

Restart the browser and check.

apache hide version

As you can see, now the Server parameter does not contain any confidential information that can help an attacker harm your site.

 

Thank you all, I hope my article was of some help to you.

SIMILAR ARTICLES

Firewall open port 80 443 on Linux CentOS/RHEL 8/7
Firewall open port 80 443 on Linux CentOS/RHEL 8/7
Last updated: Apr 3, 2024
Firewall - ufw status inactive on Ubuntu
Firewall - ufw status inactive on Ubuntu
Last updated: Apr 3, 2024
How to disable Firewall in Linux
How to disable Firewall in Linux
Last updated: Apr 3, 2024
How to enable HTTP Strict Transport Security (HSTS) on Apache and Nginx
How to enable HTTP Strict Transport Security (HSTS) on Apache and Nginx
Last updated: Apr 3, 2024