How to Hide Apache Version from HTTP Headers

Exposing your specific Apache server version in HTTP response headers provides malicious actors with the exact blueprint they need to target known vulnerabilities in your system. By default, Apache broadcasts its version number and operating system details to anyone who asks. Fortunately, securing this information is a straightforward process that involves modifying just two directives within your Apache configuration file. This guide will walk you through the exact steps to locate your configuration files, apply the necessary changes, and verify that your server is no longer leaking sensitive version data.

Step 1: Locate and Open Your Apache Configuration File

Depending on your operating system and Linux distribution, the main Apache configuration file is located in different places. You will need administrative or sudo privileges to edit these files.

• Ubuntu / Debian: /etc/apache2/apache2.conf (or sometimes /etc/apache2/conf-available/security.conf)
• CentOS / RHEL / Fedora: /etc/httpd/conf/httpd.conf

Open the appropriate file in your preferred text editor. For example, on Ubuntu, you might run:

sudo nano /etc/apache2/apache2.conf

Step 2: Modify ServerTokens and ServerSignature

Look through the configuration file for the ServerTokens and ServerSignature directives. If they do not exist, you can add them to the bottom of the file.

Change their values to match the following configuration:

ServerTokens Prod
ServerSignature Off

What Do These Directives Do?

• ServerTokens Prod: This tells Apache to only return “Apache” in the Server response header, completely stripping out the version number, compile modules, and operating system details.
• ServerSignature Off: This removes the footer line containing the server version and virtual host name from server-generated documents, such as 404 error pages.

Step 3: Restart the Apache Service

For the changes to take effect, you must restart or reload the Apache web server. Use the command that corresponds to your operating system.

• Systemd managed systems (Modern Ubuntu, Debian, CentOS, RHEL):

sudo systemctl restart apache2

(Note: Use httpd instead of apache2 on RHEL/CentOS systems). * SysV Init systems (Older versions):

sudo service apache2 restart

Step 4: Verify the Changes

You can easily verify that your version number is hidden by using the curl command-line tool from your local terminal to inspect the HTTP headers.

Run the following command, replacing yourdomain.com with your actual server IP or domain name:

curl -I https://yourdomain.com

In the output, look closely at the Server line.

Before making these changes, the output likely exposed extensive details:

Server: Apache/2.4.41 (Ubuntu)

After successfully applying the changes, it should only display:

Server: Apache