Revealing a Web server's signature with server/php version information can pose a security risk because you are basically telling the attacker about a known vulnerability on your system. Therefore, as a part of the server hardening, it is highly recommended that you disable all Web server signatures.
Disable Apache Web server signing
Disabling the Apache Web server signature can be done by editing the Apache configuration file.
On the Debian,ubunt or Linux Mint:
$ sudo vi/etc/apache2/apache2.conf
On Centos,fedora,rhel or Arch Linux:
$ sudo vi/etc/httpd/conf/httpd.conf
Add the following two lines to the bottom of the Apache configuration file.
Copy Code code as follows:
Serversignature off
Servertokens Prod
Then restart the Web server for the modifications to take effect:
$ sudo service apache2 restart (Debian, Ubuntu or Linux Mint)
$ sudo service httpd restart (Centos/rhel 6)
$ sudo Systemctl Restart Httpd.service (Fedora, Centos/rhel 7, Arch Linux)
The first line ' serversignature off ' causes the Apache2 Web server to hide the Apache version information on all error pages.
However, without the second line of ' Servertokens Prod ', the Apache server will still contain detailed server tags in the HTTP response header, which leaks the Apache version number.
The second line of ' Servertokens Prod ' is to compress the server tag to the minimum in the HTTP response header.
Therefore, when two rows are placed at the same time, Apache will not leak version information in the page or in the HTTP response header.
Hide PHP Version
Another potential security threat is the disclosure of PHP version information in the HTTP response header. By default, the Apache Web server contains PHP version information through the "x-powered-by" field in the HTTP response header. If you want to hide the PHP version in the HTTP header, use a text editor to open the php.ini file, find the "expose_php = On" line, and change it to "expose_php = Off".
On the Debian,ubunt or Linux Mint:
$ sudo vi/etc/php5/apache2/php.ini
On Centos,fedora,rhel or Arch Linux:
$ sudo vi/etc/php.ini
expose_php = Off
Finally, reboot the APACHE2 Web server to reload the updated PHP configuration file.
Now, you will no longer see the HTTP response header with the "x-powered-by" field.