Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By - Comment Page: 1

By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks. Some examples howto check server information that Apache sends Error page Use lynx $ lynx -head -mime_header http://www.ubuntu.com HTTP/1.0 200 OK Date: Fri, 20 Nov 2009 09:25:46 GMT Server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.4-2ubuntu5.7 Content-Type: text/html; charset=utf-8 Age: 13 Content-Length: 0 X-Cache:...

15 comments on “Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By - Comment Page: 1

    1. Good Article.
      Just one thing is missing. Sometimes you need to set ServerTokens directive in */apache2/conf.d/security file if the directive is not working. Anyways good job…

      Reply
    2. Thanks for sharing. Nice website btw

      Reply
    3. If you use XAMPP (v2.5.8) look for the file named httpd-default.conf under \etc\xampp\apache\conf\extra and then make the necessary changes (ServerSignature Off, ServerTokens Prod).

      I was not able to find this info in the net. Hope it helps someone.

      Reply
    4. I also belieνe therefore, peгfectly pent post! .

      Reply
    5. […] with web server and scripting language versions: can be turned off or even […]

      Reply
    6. @9jaBrozz: Though 3 years later, it helped me, thanks!

      Reply
    7. any way to hide via htaccess?

      Reply
    8. Hey. Thanks for the tip. Is there anyway I could hide the word “Apache”?!

      Reply
    9. Wow its working but while i will add this text(%%) in end of url then server show these type of details (awselb/2.0) i should i do ?

      Reply
      • Hi Shakir Ali,

        This request doesn’t go to your server at all, it’s error from aws load balancer?

        Reply
    10. Working Fine, But if we are adding %% end of url then server version show awselb/2.0,
      How does i fix this ?

      Reply
      • Hi Shakir,

        This request doesn’t go to your server at all, it’s error from aws load balancer?

        Reply
    11. Changing just the apache2.conf configuration file didn’t work for me. I needed to change /etc/apache2/conf-enabled/security.conf for the servertokens part :)

      I have Debian8 and apache 2.4.25. Hiding the apache version number is a nice boost for site security because it will propably stop some automated attacks against my site.

      Reply

Leave a Reply to Felipe Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close