How to disable the server signature on an Apache website Server
Problem: When The Apache2 website server returns an error page (for example, the 404 page cannot be found and the 403 page is forbidden to be accessed), the website server signature is displayed at the bottom of the page (for example, apache version and operating system information ). At the same time, when the Apache2 website server is serving the PHP page, it also displays the PHP version information. How can I disable the signatures of these website servers on The Apache2 website server?
Disclosing the signature of the website server with the server/PHP version information brings security risks, because you basically tell attackers about known vulnerabilities in your system. Therefore, as part of server reinforcement, we strongly recommend that you disable all website server signatures.
Disable Apache website server Signature
To disable the Apache website server signature, you can edit the Apache configuration file.
On Debian, Ubunt, or Linux Mint:
- $ Sudo vi/etc/apache2/apache2.conf
On CentOS, Fedora, RHEL or Arch Linux:
- $ Sudo vi/etc/httpd/conf/httpd. conf
Add the following two lines to the bottom of the Apache configuration file.
ServerSignature Off
ServerTokens Prod
Then restart the website server for the modification to take effect:
- $ Sudo service apache2 restart (Debian, UbuntuorLinuxMint)
- $ Sudo service httpd restart (CentOS/RHEL 6)
- $ Sudo systemctl restart httpd. service (Fedora, CentOS/RHEL 7, ArchLinux)
The first line of 'serversignature off' hides Apache version information on all error pages of The Apache2 website server.
However, without the 'servertokens prod' in the second line, the Apache server will still contain detailed server tags in the HTTP Response Header, which will leak the Apache version number.
The second line of 'servertokens prod' is to compress the server tag in the HTTP response header to a minimum.
Therefore, Apache will not disclose version information on the page or in the HTTP Response Header when two rows are placed at the same time.
Hide PHP version
Another potential security threat is the leakage of PHP version information in the HTTP response header. By default, the Apache website server contains PHP version information through the "X-Powered-By" field in the HTTP response header. If you want to hide the PHP version in the HTTP header, open the php. ini file in the text editor, find the "expose_php = On" line, and change it to "expose_php = Off.
On Debian, Ubunt, or Linux Mint:
- $ Sudo vi/etc/php5/apache2/php. ini
On CentOS, Fedora, RHEL or Arch Linux:
- $ Sudo vi/etc/php. ini
expose_php = Off
Finally, restart the Apache2 website server to reload the updated PHP configuration file.
Now, you will no longer see the HTTP response header with the "X-Powered-By" field.
------------------------------------- I am a split line -------------------------------------
How to enable Apache Rewrite in Ubuntu
Key points after upgrading Apache 14.04 to 2.2 in Ubuntu 2.4
Install the LAMP \ Vsftpd \ Webmin \ phpMyAdmin service and settings in Ubuntu 13.04
Compile and install LAMP in CentOS 5.9 (Apache 2.2.44 + MySQL 5.6.10 + PHP 5.4.12)
Source code for Web server architecture in RedHat 5.4 build the LAMP environment and application PHPWind
Build a WEB Server Linux + Apache + MySQL + PHP in the LAMP source code Environment
-------------------------------------- Split line --------------------------------------
Apache details: click here
Apache: click here
This article permanently updates the link address: