Hide Apache ServerSignature/ServerTokens/PHP X-Powered-By

By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks.

Some examples howto check server information that Apache sends

Error page

Use lynx

Use Mozilla Firebug plugin

As you can see this is a very sensitive information if dont have installed latest security updates.

Hiding and modifying Apache server information

Fortunately, such data can easily hide and modify by changing the ServerSignature and ServerTokens directives.

ServerSignature

ServerSignature configures the footer on server-generated documents. Just like example 404 error page. Normal use it’s better hide whole signature and add or modify httpd.conf file or apache.conf file following row:

If you some reason want show ServerSignature then use:

Or if you want show mailto link (example admin mail) then use:

ServerTokens

Configures the Server HTTP response header. Different ServerTokens directive options are following (add or modify httpd.conf file or apache.conf):

Prod or ProductOnly – Server sends (e.g.): Server: Apache

Major – Server sends (e.g.): Server: Apache/2

Minor – Server sends (e.g.): Server: Apache/2.2

Min or Minimal – Server sends (e.g.): Server: Server: Apache/2.2.4

OS – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu)

Full or not specified – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4

ServerTokens setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

Hide PHP version (X-Powered-By)

Hiding PHP version (X-Powered-By) is easy. Add or modify following php.ini file row like following:

Summary

Safest basic setup is following:
httpd.conf or apache.conf rows:

php.ini row:

After all changes remember reload server and check results. The results should look like this:

Before:

After:

Share this post

4 Comments

  1. Good Article.
    Just one thing is missing. Sometimes you need to set ServerTokens directive in */apache2/conf.d/security file if the directive is not working. Anyways good job…

    Reply
  2. Thanks for sharing. Nice website btw

    Reply
  3. If you use XAMPP (v2.5.8) look for the file named httpd-default.conf under \etc\xampp\apache\conf\extra and then make the necessary changes (ServerSignature Off, ServerTokens Prod).

    I was not able to find this info in the net. Hope it helps someone.

    Reply
  4. I also belieνe therefore, peгfectly pent post! .

    Reply

Trackbacks/Pingbacks

  1. Is It Possible To Know What Programming Language A Web-site Uses? | Click & Find Answer ! - […] with web server and scripting language versions: can be turned off or even […]

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">