Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By - Comment Page: 1
By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks.
Some examples howto check server information that Apache sends
Error page
Use lynx
$ lynx -head -mime_header http://www.ubuntu.com
HTTP/1.0 200 OK
Date: Fri, 20 Nov 2009 09:25:46 GMT
Server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.4-2ubuntu5.7
Content-Type: text/html; charset=utf-8
Age: 13
Content-Length: 0
X-Cache:...
Good Article.
Just one thing is missing. Sometimes you need to set ServerTokens directive in */apache2/conf.d/security file if the directive is not working. Anyways good job…
Thanks for sharing. Nice website btw
If you use XAMPP (v2.5.8) look for the file named httpd-default.conf under \etc\xampp\apache\conf\extra and then make the necessary changes (ServerSignature Off, ServerTokens Prod).
I was not able to find this info in the net. Hope it helps someone.
I also belieνe therefore, peгfectly pent post! .
[…] with web server and scripting language versions: can be turned off or even […]
@9jaBrozz: Though 3 years later, it helped me, thanks!
any way to hide via htaccess?
Hi ankit,
You can control ServerSignature Directive via htaccess, but ServerTokens Directive only via server config and expose_php only via php.ini.
Doesn’t work with .user.ini :(
Hey. Thanks for the tip. Is there anyway I could hide the word “Apache”?!
Wow its working but while i will add this text(%%) in end of url then server show these type of details (awselb/2.0) i should i do ?
Hi Shakir Ali,
This request doesn’t go to your server at all, it’s error from aws load balancer?
Working Fine, But if we are adding %% end of url then server version show awselb/2.0,
How does i fix this ?
Hi Shakir,
This request doesn’t go to your server at all, it’s error from aws load balancer?
Changing just the apache2.conf configuration file didn’t work for me. I needed to change /etc/apache2/conf-enabled/security.conf for the servertokens part :)
I have Debian8 and apache 2.4.25. Hiding the apache version number is a nice boost for site security because it will propably stop some automated attacks against my site.