Hide Apache server info

Posted under » Apache » LAMP Security on 30 Dec 2024

When you visit a website, the server sends back information about itself, including a signature that can be exploited by attackers. The signature reveals the server type and version, which attackers can exploit to target vulnerabilities.

You can do this by modifying the apache security config. The security config file, security.conf file is located in the /etc/apache2/conf-available/ directory. We have discussed earlier how to hide the server signature. Remove the comment from the ServerSignatureOff and ServerTokens Prod. 

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off
#ServerSignature On

Restart apache and you should be good to go.

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS data