How to Hide Apache Header Information

One of the features of Apache that can sometimes be a liability is the web server header. This is an identification string that is sent to user agents. By default, Apache will tell the world about your Apache version, modules that you have installed, and even your operating system and version. Attackers who are planning to gain access to your dedicated server can use that information to find exploits.

There are a few settings you can change to hide your Apache and PHP versions. In your Apache configuration file (httpd.conf or apache2.conf – found in /etc/httpd or /etc/apache2) edit or add the following directives:

ServerSignature Off
ServerTokens Prod

The ServerSignature is that helpful little version string that appears at the bottom of error pages, such as 404 Not Found, giving the user detailed information about your web server and operating system.

ServerTokens determine what Apache shows in the HTTP response header. If you set it to Prod, it will only display:

Server: Apache

To hide the PHP version from remote HTTP requests, edit your php.ini file (often found in /etc/php.ini), and change the line that reads “expose_php On” to Off:

expose_php = Off

Keep in mind that none of these settings will make your server more secure. If your server has security holes or outdated software, it is still vulnerable. What these settings will do is make it more difficult for would-be attackers to learn about your system.