How to disable the server signature on an Apache website Server

How to disable the server signature on an Apache website Server

Problem: When The Apache2 website server returns an error page (for example, the 404 page cannot be found and the 403 page is forbidden to be accessed), the website server signature is displayed at the bottom of the page (for example, apache version and operating system information ). At the same time, when the Apache2 website server is serving the PHP page, it also displays the PHP version information. How can I disable the signatures of these website servers on The Apache2 website server?

Disclosing the signature of the website server with the server/PHP version information brings security risks, because you basically tell attackers about known vulnerabilities in your system. Therefore, as part of server reinforcement, we strongly recommend that you disable all website server signatures.

 

Disable Apache website server Signature

To disable the Apache website server signature, you can edit the Apache configuration file.

On Debian, Ubunt, or Linux Mint:

1. $ Sudo vi/etc/apache2/apache2.conf

On CentOS, Fedora, RHEL or Arch Linux:

1. $ Sudo vi/etc/httpd/conf/httpd. conf

Add the following two lines to the bottom of the Apache configuration file.

ServerSignature Off
ServerTokens Prod

Then restart the website server for the modification to take effect:

1. $ Sudo service apache2 restart (Debian, UbuntuorLinuxMint)
2. $ Sudo service httpd restart (CentOS/RHEL 6)
3. $ Sudo systemctl restart httpd. service (Fedora, CentOS/RHEL 7, ArchLinux)

The first line of 'serversignature off' hides Apache version information on all error pages of The Apache2 website server.

However, without the 'servertokens prod' in the second line, the Apache server will still contain detailed server tags in the HTTP Response Header, which will leak the Apache version number.

The second line of 'servertokens prod' is to compress the server tag in the HTTP response header to a minimum.

Therefore, Apache will not disclose version information on the page or in the HTTP Response Header when two rows are placed at the same time.

 

Hide PHP version

Another potential security threat is the leakage of PHP version information in the HTTP response header. By default, the Apache website server contains PHP version information through the "X-Powered-By" field in the HTTP response header. If you want to hide the PHP version in the HTTP header, open the php. ini file in the text editor, find the "expose_php = On" line, and change it to "expose_php = Off.

On Debian, Ubunt, or Linux Mint:

1. $ Sudo vi/etc/php5/apache2/php. ini

On CentOS, Fedora, RHEL or Arch Linux:

1. $ Sudo vi/etc/php. ini

expose_php = Off

Finally, restart the Apache2 website server to reload the updated PHP configuration file.

Now, you will no longer see the HTTP response header with the "X-Powered-By" field.

------------------------------------- I am a split line -------------------------------------

How to enable Apache Rewrite in Ubuntu

Key points after upgrading Apache 14.04 to 2.2 in Ubuntu 2.4

Install the LAMP \ Vsftpd \ Webmin \ phpMyAdmin service and settings in Ubuntu 13.04

Compile and install LAMP in CentOS 5.9 (Apache 2.2.44 + MySQL 5.6.10 + PHP 5.4.12)

Source code for Web server architecture in RedHat 5.4 build the LAMP environment and application PHPWind

Build a WEB Server Linux + Apache + MySQL + PHP in the LAMP source code Environment

-------------------------------------- Split line --------------------------------------

Apache details: click here
Apache: click here

This article permanently updates the link address: