How to hide Apache server signatures

Apache can expose its version, platform, and virtual host name in places that do not help normal visitors but do help routine fingerprinting. Reducing that banner data is a common hardening step because it removes easy clues from response headers and default error pages without changing how the site serves content.

Two directives control what Apache reveals. ServerTokens defines how much detail appears in the Server HTTP response header, while ServerSignature decides whether Apache appends a footer to server-generated pages such as default errors and directory listings. Apache's current documentation also notes that the version detail shown by ServerSignature is controlled by ServerTokens.

Current Debian and Ubuntu packages usually place these directives in /etc/apache2/conf-available/security.conf, while RHEL-style packages commonly keep them in /etc/httpd/conf/httpd.conf or a drop-in under /etc/httpd/conf.d. Test the configuration before you reload it, and check for duplicate directives first because the last active definition wins.

1. Open a terminal with a user account that can run sudo.
2. Find the active ServerTokens and ServerSignature settings in the Apache configuration tree.

   $ sudo grep -RIn --include='*.conf' -E '^[[:space:]]*Server(Tokens|Signature)\b' /etc/apache2 /etc/httpd 2>/dev/null
   /etc/apache2/conf-available/security.conf:12:ServerTokens OS
   /etc/apache2/conf-available/security.conf:23:ServerSignature On
   /etc/apache2/conf-enabled/security.conf:12:ServerTokens OS
   /etc/apache2/conf-enabled/security.conf:23:ServerSignature On

   On Debian and Ubuntu, edit the file under /etc/apache2/*-available/ rather than the symlink under /etc/apache2/*-enabled/.

   Related: How to locate Apache configuration files

3. Open the file that currently defines those directives.

   $ sudoedit /etc/apache2/conf-available/security.conf

   On RHEL, Rocky Linux, AlmaLinux, CentOS Stream, and Fedora, the matching file is commonly /etc/httpd/conf/httpd.conf or a custom drop-in under /etc/httpd/conf.d.

   sudoedit uses $EDITOR and writes the changes as the file is saved.

4. Set ServerTokens to Prod and ServerSignature to Off.

   ServerTokens Prod
   ServerSignature Off

   Prod reduces the Server header to Apache, and Off removes the footer that Apache adds to server-generated documents.

   ServerTokens applies to the entire server, not to individual virtual hosts.

   If the same directives are defined in multiple loaded files, Apache uses the last active value it reads.

5. Save the file and close the editor.
6. Enable the security snippet if you edited /etc/apache2/conf-available/security.conf and it is not already active.

   $ sudo a2enconf security
   Conf security already enabled

   If /etc/apache2/conf-enabled/security.conf already points to the file, this command simply confirms that the snippet is active.

7. Test the Apache configuration before reloading it.

   $ sudo apache2ctl configtest
   AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
   Syntax OK

   The AH00558 line is a hostname warning, not a syntax failure.

   Use sudo httpd -t or sudo apachectl -t on platforms that do not ship apache2ctl.

   Related: How to test Apache configuration

8. Reload Apache so it re-reads the updated configuration without a full stop/start cycle.

   $ sudo systemctl reload apache2

   On RHEL-style packages, the unit name is commonly httpd. When systemd is not managing Apache, use sudo apachectl graceful or the platform-equivalent reload command.

   Related: How to manage the Apache web server service

9. Confirm that the Server header no longer exposes a version or OS string.

   $ curl -sI http://127.0.0.1/
   HTTP/1.1 200 OK
   Date: Thu, 09 Apr 2026 04:56:36 GMT
   Server: Apache
   Last-Modified: Thu, 09 Apr 2026 04:56:32 GMT
   ETag: "29af-64effd715e1ce"
   Accept-Ranges: bytes
   Content-Length: 10671
   Vary: Accept-Encoding
   Content-Type: text/html

   Query the public hostname or the same VirtualHost address your clients use when localhost does not hit the site definition you care about.

10. Confirm that a server-generated error page no longer includes an Apache footer.

    $ curl -s http://127.0.0.1/does-not-exist
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p>The requested URL was not found on this server.</p>
    </body></html>

    A custom ErrorDocument can return different HTML, but the Apache-generated footer should still be absent when ServerSignature Off is active.