Hiding and modifying Apache server information [extend]
Fortunately, such data can easily hide and modify by changing the ServerSignature and ServerTokens directives.
ServerSignature
ServerSignature configures the footer on server-generated documents. Just like example 404 error page. Normal use it’s better hide whole signature and add or modify httpd.conf file or apache.conf file following row:
ServerSignature Off |
If you some reason want show ServerSignature then use:
ServerSignature On |
Or if you want show mailto link (example admin mail) then use:
ServerSignature Email |
ServerTokens
Configures the Server HTTP response header. Different ServerTokens directive options are following (add or modify httpd.conf file orapache.conf):
Prod or ProductOnly – Server sends (e.g.): Server: Apache
ServerTokens Prod |
Major – Server sends (e.g.): Server: Apache/2
ServerTokens Major |
Minor – Server sends (e.g.): Server: Apache/2.2
ServerTokens Minor |
Min or Minimal – Server sends (e.g.): Server: Server: Apache/2.2.4
ServerTokens Min |
OS – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu)
ServerTokens OS |
Full or not specified – Server sends (e.g.): Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4
ServerTokens Full |
ServerTokens setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.
Hide PHP version (X-Powered-By)
Hiding PHP version (X-Powered-By) is easy. Add or modify following php.ini file row like following:
expose_php = Off |
Summary
Safest basic setup is following:
httpd.conf or apache.conf rows:
ServerSignature Off ServerTokens Prod |
php.ini row:
expose_php = Off |
After all changes remember reload server and check results. The results should look like this:
Before:
HTTP/1.1 200 OK Date: Fri, 20 Nov 2009 12:20:30 GMT Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6.4 X-Powered-By: PHP/5.2.3-1ubuntu6.4 Connection: close Content-Type: text/html; charset=UTF-8 |
After:
HTTP/1.1 200 OK Date: Fri, 20 Nov 2009 13:06:21 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 |