Why Turn Off Apache ServerSignature Directive?
The ServerSignature directive is an Apache web server
configuration setting that adds a footer line to server-generated
documents, such as 404 error pages or directory listings. This footer
typically reveals sensitive information including the Apache version
number, the server’s hostname, and the operating system. Security best
practices dictate that this directive should be turned off to prevent
information leakage, a common precursor to targeted cyberattacks.
Understanding the ServerSignature Directive
By default, many Apache installations enable
ServerSignature. When a user encounters a server-generated
error page (like 404 Not Found or
500 Internal Server Error), Apache appends a line at the
bottom of the page.
A standard server signature often looks like this:
Apache/2.4.52 (Ubuntu) Server at www.example.com Port 443
While this might seem harmless or even helpful for debugging, it publicly broadcasts the exact blueprint of your server infrastructure to anyone who triggers an error page.
Why You Should Turn Off ServerSignature
The primary motivation for disabling ServerSignature is
security through obscurity. While hiding your software
version does not fix underlying vulnerabilities, displaying it
simplifies the reconnaissance phase for malicious actors.
1. Preventing Information Leakage
Displaying your exact Apache version and operating system allows attackers to footprint your system instantly. If a specific vulnerability (CVE) is discovered for Apache version 2.4.52, an attacker can use search engines or automated scanners to find servers displaying that exact signature and target them.
2. Reducing the Success of Automated Exploits
Most cyberattacks are not personal; they are automated bots scanning thousands of IP addresses for known vulnerabilities. By removing the server signature, your server becomes a harder target because the automated bot cannot immediately verify if your system is susceptible to a specific exploit.
3. Compliance and Security Audits
Many industry security standards, such as the Payment Card Industry Data Security Standard (PCI-DSS), require organizations to minimize information disclosure. Leaving server signatures active can cause a server to fail automated security compliance audits.
How to Turn Off ServerSignature in Apache
Disabling this feature requires a quick modification to your Apache
configuration file. You will also want to adjust a sister directive
called ServerTokens, which controls the Server
HTTP header response.
Step 1: Open the Configuration File
Depending on your operating system, open your main Apache
configuration file (usually httpd.conf,
apache2.conf, or security.conf) using a text
editor with administrative privileges.
- Ubuntu/Debian:
/etc/apache2/conf-available/security.conf - CentOS/RHEL:
/etc/httpd/conf/httpd.conf
Step 2: Update the Directives
Locate the ServerSignature directive and set it to
Off. Additionally, find or add the
ServerTokens directive and set it to Prod
(Product Only) to minimize the information sent in the HTTP response
headers.
ServerSignature Off
ServerTokens ProdStep 3: Restart Apache
For the changes to take effect, restart the Apache service:
- Ubuntu/Debian:
sudo systemctl restart apache2 - CentOS/RHEL:
sudo systemctl restart httpd
Once restarted, your error pages will no longer display the revealing footer, significantly hardening your server against casual reconnaissance.