How to hide apache information with ServerTokens and ServerSignature directives

In default Apache configuration, the server sends HTTP Header with the information of Apache version, modules, Operating System, etc of the Server. The HTTP response header “Server” displays all these details of the server. This information can be used by hackers to try to exploit any vulnerabilities in the Apache, OS or other modules you are running, specially if you are running an older version with known vulnerabilities.

Sample HTTP Response Header:

HTTP/1.1 200 OK
Date: Sun, 10 Feb 2012 07:24:47 GMT
Server: Apache/2.2.17 (Win32) PHP/5.2.17
Vary: Accept-Encoding,Cookie

Note: This is just one way to identify the details. Also, even if this information is not available hackers might still try to hack it using other ways.

There is an easy way to hide the apache version and other server information from the HTTP headers. By setting the “ServerTokens” and “ServerSignature” variables in your httpd.conf file the server information would not longer be added to the HTTP headers. Use the following lines in you httpd.conf file. Make sure to back up you file before editing so that in case something goes wrong you can easily revert. After making the changes restart your apache (Note: Doing so will take your site down, if it runs only on 1 server).

ServerTokens ProductOnly
ServerSignature Off
After using the above directives the HTTP headers will look similar to this:
HTTP/1.1 200 OK
Date: Sun, 10 Feb 2012 07:24:47 GMT
Server: Apache
Vary: Accept-Encoding,Cookie
The ServerTokens Directive controls the response which server sends to include the server details, OS and other complied modules. ServerTokens can have various values. Here are the outputs of each different values

ServerTokens Value Server Sends
Full (or not specificed) Server: Apache/2.2.17 (Win32) PHP/5.2.17
Prod (or ProductOnly) Server: Apache
Major Server: Apache/2
Minor Server: Apache/2.2
Min (or Minimal) Server: Apache/2.2.17
OS Server: Apache/2.2.17 (Win32)
The ServerSignature Directive can be used to configure a trailing footer line under the server-generated documents (e.g. error pages, directory listing etc). The default setting for this directive is Off, which does not displays the footer line. If this is set to On, the server will add a line with the server version number and ServerName of the virutal host. If we set this value to Email, it will add a “mailto:” link to the ServerAdmin defined in the server configuration. After Apache 2.0.44 the value of Server version number is controlled by the ServerTokens Directive.
Note: Make these changes in your server only if you are sure you know you can do them. If you make a mistake in the httpd.conf file, your site won’t work. So be very careful when making these changes. Also, it is always good to take a backup of the existing file before making any changes, in case you want to revert.

Related posts:

  1. How to hide Nginx version number in headers and errors pages
  2. How to hide PHP version in the HTTP Headers
  3. Creating multiple virtual hosts/websites in Wampserver
  4. .htaccess tips

3 thoughts on “How to hide apache information with ServerTokens and ServerSignature directives”

Leave a Reply