How to hide Apache version in HTTP headers
- Last updated: Nov 3, 2023
- Views: 519
- Author: Admin
In this article, we will talk about how to hide Apache web server version in HTTP headers.
At the moment when a user sends a request to your Apache web server, then in response Apache sends some confidential information to the user in HTTP headers, such as the version number of the Apache web server, short information about the server operating system, installed Apache modules, etc. Displaying the Apache version in the HTTP header is a security risk for your site. This information may well be enough for attackers to exploit vulnerabilities and gain access to your Apache web server.
To reduce the likelihood of your web server being hacked and to reduce attacks on your site, this information must be hidden in order to deprive the attacker of information about the version of your web server, and about the platform as a whole.
By default, the Apache web server sends the Apache version number and a short information about the server's operating system to the user.
As you can see from the example, Apache sends a header called Server from confidential information. This information contains the version of our web server and the name of the operating system.
To hide the version number of the web server and information about the operating system of the server, you need to add two directives to the configuration file of the Apache web server. The directives are named ServerTokens and ServerSignature.
- ServerSignature is a directive that allows you to add a footer string that displays the server name and version number of the web server.
- ServerTokens is a directive that is also responsible for displaying the version number of the web server.
Open the Apache web server configuration file.
$. sudo vi /etc/apache2/apache2.conf
$. sudo vi /etc/httpd/conf/httpd.conf
These two directives need to be added to the configuration file.
After we have added the directives, we now need to restart the Apache web server using the following command:
$. sudo service apache2 restart
$. sudo service httpd restart
Restart the browser and check.
As you can see, now the Server parameter does not contain any confidential information that can help an attacker harm your site.
Thank you all, I hope my article was of some help to you.