Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By - Comment Page: 1

Updated on December 20, 2016 by JR 15 comments

By default almost all Apache installation shows sensitive server information with Apache version number, server operating system details, installed Apache modules, PHP-version and so on. Attackers can use this information when performing attacks. Some examples howto check server information that Apache sends Error page Use lynx $ lynx -head -mime_header http://www.ubuntu.com HTTP/1.0 200 OK Date: Fri, 20 Nov 2009 09:25:46 GMT Server: Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.7 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.4-2ubuntu5.7 Content-Type: text/html; charset=utf-8 Age: 13 Content-Length: 0 X-Cache:...

See full post →

15 comments on “Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By - Comment Page: 1”

kashif
23rd May 2012, 3:53 pm

Good Article.
Just one thing is missing. Sometimes you need to set ServerTokens directive in */apache2/conf.d/security file if the directive is not working. Anyways good job…
Reply
Ramon
26th June 2012, 10:29 pm

Thanks for sharing. Nice website btw
Reply
9jaBrozz
17th July 2012, 7:38 pm

If you use XAMPP (v2.5.8) look for the file named httpd-default.conf under \etc\xampp\apache\conf\extra and then make the necessary changes (ServerSignature Off, ServerTokens Prod).

I was not able to find this info in the net. Hope it helps someone.
Reply
Felipe
26th March 2013, 2:46 pm

I also belieνe therefore, peгfectly pent post! .
Reply
Is It Possible To Know What Programming Language A Web-site Uses? | Click & Find Answer !
21st January 2014, 4:27 pm

[…] with web server and scripting language versions: can be turned off or even […]
Reply
lmeurs
12th April 2015, 3:21 pm

@9jaBrozz: Though 3 years later, it helped me, thanks!
Reply
ankit
29th November 2015, 2:19 pm

any way to hide via htaccess?
Reply
- JR
  29th November 2015, 3:27 pm
  
  Hi ankit,
  
  You can control ServerSignature Directive via htaccess, but ServerTokens Directive only via server config and expose_php only via php.ini.
  Reply
  - Iggy
    17th June 2016, 7:43 am
    
    Doesn’t work with .user.ini :(
    Reply
Mohammed
10th August 2016, 11:26 pm

Hey. Thanks for the tip. Is there anyway I could hide the word “Apache”?!
Reply
Shakir Ali
3rd December 2018, 12:59 pm

Wow its working but while i will add this text(%%) in end of url then server show these type of details (awselb/2.0) i should i do ?
Reply
- JR
  9th December 2018, 1:36 am
  
  Hi Shakir Ali,
  
  This request doesn’t go to your server at all, it’s error from aws load balancer?
  Reply
Shakir
10th December 2018, 7:22 am

Working Fine, But if we are adding %% end of url then server version show awselb/2.0,
How does i fix this ?
Reply
- JR
  15th December 2018, 9:32 am
  
  Hi Shakir,
  
  This request doesn’t go to your server at all, it’s error from aws load balancer?
  Reply
Roger Peltonen
12th February 2019, 6:31 pm

Changing just the apache2.conf configuration file didn’t work for me. I needed to change /etc/apache2/conf-enabled/security.conf for the servertokens part :)

I have Debian8 and apache 2.4.25. Hiding the apache version number is a nice boost for site security because it will propably stop some automated attacks against my site.
Reply

15 comments on “Hide Apache ServerSignature / ServerTokens / PHP X-Powered-By - Comment Page: 1”

Leave a Reply to Iggy Cancel reply