How to hide a server signature on Apache

Source: Internet
Author: User
Tags ini centos arch linux

This article mainly introduces the method of hiding the server signature on Apache, the example is based on the Linux of Debian department, the friend who need can refer to the

Revealing a Web server's signature with server/php version information can pose a security risk because you are basically telling the attacker about a known vulnerability on your system. Therefore, as a part of the server hardening, it is highly recommended that you disable all Web server signatures.

Disable Apache Web server signing

Disabling the Apache Web server signature can be done by editing the Apache configuration file.

On the Debian,ubunt or Linux Mint:


1 $ sudo vi/etc/apache2/apache2.conf

On Centos,fedora,rhel or Arch Linux:


1 $ sudo vi/etc/httpd/conf/httpd.conf

Add the following two lines to the bottom of the Apache configuration file.

Copy code code as follows:

Serversignature off

Servertokens Prod

Then restart the Web server for the modifications to take effect:


1 2 3 $ sudo service apache2 restart (Debian, Ubuntu or Linux Mint) $ sudo service httpd restart (Centos/rhel 6) $ sudo systemct L Restart Httpd.service (Fedora, Centos/rhel 7, Arch Linux)

The first line ' serversignature off ' causes the Apache2 Web server to hide the Apache version information on all error pages.

However, without the second line of ' Servertokens Prod ', the Apache server will still contain detailed server tags in the HTTP response header, which leaks the Apache version number.

The second line of ' Servertokens Prod ' is to compress the server tag to the minimum in the HTTP response header.

Therefore, when two rows are placed at the same time, Apache will not leak version information in the page or in the HTTP response header.

Hide PHP Version

Another potential security threat is the disclosure of PHP version information in the HTTP response header. By default, the Apache Web server contains PHP version information through the "x-powered-by" field in the HTTP response header. If you want to hide the PHP version in the HTTP header, use a text editor to open the php.ini file, find the "expose_php = On" line, and change it to "expose_php = Off".

On the Debian,ubunt or Linux Mint:


1 $ sudo vi/etc/php5/apache2/php.ini

On Centos,fedora,rhel or Arch Linux:


1 2 3 $ sudo vi/etc/php.ini expose_php = off

Finally, reboot the APACHE2 Web server to reload the updated PHP configuration file.

Now, you will no longer see the HTTP response header with the "x-powered-by" field.

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.