Apache can expose its version, platform, and virtual host name in places that do not help normal visitors but do help routine fingerprinting. Reducing that banner data is a common hardening step because it removes easy clues from response headers and default error pages without changing how the site serves content.
Two directives control what Apache reveals. ServerTokens defines how much detail appears in the Server HTTP response header, while ServerSignature decides whether Apache appends a footer to server-generated pages such as default errors and directory listings. Apache's current documentation also notes that the version detail shown by ServerSignature is controlled by ServerTokens.
Current Debian and Ubuntu packages usually place these directives in /etc/apache2/conf-available/security.conf, while RHEL-style packages commonly keep them in /etc/httpd/conf/httpd.conf or a drop-in under /etc/httpd/conf.d. Test the configuration before you reload it, and check for duplicate directives first because the last active definition wins.
Related: How to locate Apache configuration files
Related: How to test Apache configuration
Related: How to enable or disable Apache modules
Steps to hide Apache server signatures:
- Open a terminal with a user account that can run sudo.
- Find the active ServerTokens and ServerSignature settings in the Apache configuration tree.
$ sudo grep -RIn --include='*.conf' -E '^[[:space:]]*Server(Tokens|Signature)\b' /etc/apache2 /etc/httpd 2>/dev/null /etc/apache2/conf-available/security.conf:12:ServerTokens OS /etc/apache2/conf-available/security.conf:23:ServerSignature On /etc/apache2/conf-enabled/security.conf:12:ServerTokens OS /etc/apache2/conf-enabled/security.conf:23:ServerSignature On
On Debian and Ubuntu, edit the file under /etc/apache2/*-available/ rather than the symlink under /etc/apache2/*-enabled/.
- Open the file that currently defines those directives.
$ sudoedit /etc/apache2/conf-available/security.conf
On RHEL, Rocky Linux, AlmaLinux, CentOS Stream, and Fedora, the matching file is commonly /etc/httpd/conf/httpd.conf or a custom drop-in under /etc/httpd/conf.d.
sudoedit uses $EDITOR and writes the changes as the file is saved.
- Set ServerTokens to Prod and ServerSignature to Off.
ServerTokens Prod ServerSignature Off
Prod reduces the Server header to Apache, and Off removes the footer that Apache adds to server-generated documents.
ServerTokens applies to the entire server, not to individual virtual hosts.
If the same directives are defined in multiple loaded files, Apache uses the last active value it reads.
- Save the file and close the editor.
- Enable the security snippet if you edited /etc/apache2/conf-available/security.conf and it is not already active.
$ sudo a2enconf security Conf security already enabled
If /etc/apache2/conf-enabled/security.conf already points to the file, this command simply confirms that the snippet is active.
- Test the Apache configuration before reloading it.
$ sudo apache2ctl configtest AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message Syntax OK
The AH00558 line is a hostname warning, not a syntax failure.
Use sudo httpd -t or sudo apachectl -t on platforms that do not ship apache2ctl.
Related: How to test Apache configuration
- Reload Apache so it re-reads the updated configuration without a full stop/start cycle.
$ sudo systemctl reload apache2
On RHEL-style packages, the unit name is commonly httpd. When systemd is not managing Apache, use sudo apachectl graceful or the platform-equivalent reload command.
- Confirm that the Server header no longer exposes a version or OS string.
$ curl -sI http://127.0.0.1/ HTTP/1.1 200 OK Date: Thu, 09 Apr 2026 04:56:36 GMT Server: Apache Last-Modified: Thu, 09 Apr 2026 04:56:32 GMT ETag: "29af-64effd715e1ce" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding Content-Type: text/html
Query the public hostname or the same VirtualHost address your clients use when localhost does not hit the site definition you care about.
- Confirm that a server-generated error page no longer includes an Apache footer.
$ curl -s http://127.0.0.1/does-not-exist <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> </body></html>
A custom ErrorDocument can return different HTML, but the Apache-generated footer should still be absent when ServerSignature Off is active.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
