Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By

Updated on by JR 15 comments

By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks.

Some examples howto check server information that Apache sends

Error page

Use lynx


$ lynx -head -mime_header http://www.ubuntu.com
HTTP/1.0 200 OK
Date: Fri, 20 Nov 2009 09:25:46 GMT
Server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.7
Content-Type: text/html; charset=utf-8
Age: 13
Content-Length: 0
X-Cache: HIT from avocado.canonical.com
X-Cache-Lookup: HIT from avocado.canonical.com:80
Via: 1.0 avocado.canonical.com:80 (squid/2.6.STABLE18)
Connection: close

$

Use Mozilla Firebug plugin

As you can see this is a very sensitive information if dont have installed latest security updates.

Hiding and modifying Apache server information

Fortunately, such data can easily hide and modify by changing the ServerSignature and ServerTokens directives.

ServerSignature

ServerSignature configures the footer on server-generated documents. Just like example 404 error page. Normal use it’s better hide whole signature and add or modify httpd.conf file or apache.conf file following row:

ServerSignature Off

If you some reason want show ServerSignature then use:

ServerSignature On

Or if you want show mailto link (example admin mail) then use:

ServerSignature Email

ServerTokens

Configures the Server HTTP response header. Different ServerTokens directive options are following (add or modify httpd.conf file or apache.conf):

Prod or ProductOnly – Server sends (e.g.): Server: Apache

ServerTokens Prod

Major – Server sends (e.g.): Server: Apache/2

ServerTokens Major

Minor – Server sends (e.g.): Server: Apache/2.2

ServerTokens Minor

Min or Minimal – Server sends (e.g.): Server: Server: Apache/2.2.4

ServerTokens Min

OS – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu)

ServerTokens OS

Full or not specified – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4

ServerTokens Full

ServerTokens setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

Hide PHP version (X-Powered-By)

Hiding PHP version (X-Powered-By) is easy. Add or modify following php.ini file row like following:

expose_php = Off

Summary

Safest basic setup is following:
httpd.conf or apache.conf rows:


ServerSignature Off
ServerTokens Prod

php.ini row:


expose_php = Off

After all changes remember reload server and check results. The results should look like this:

Before:


HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:20:30 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
X-Powered-By: PHP/5.2.3-1ubuntu6.4
Connection: close
Content-Type: text/html; charset=UTF-8

After:


HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 13:06:21 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=UTF-8

15 comments on “Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By

← Read comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close