The Apache server signature is a snippet of information included in the HTTP response headers that reveals the server’s version and additional details. Exposing these specifics can highlight vulnerabilities, making it easier for malicious actors to exploit known weaknesses. Controlling server signature visibility is a common practice to reduce the risk of targeted attacks.
Hiding the signature involves adjusting the Apache configuration to regulate what is disclosed in the response headers. Limiting shared server data is an essential security step, as it prevents attackers from identifying key configuration details. Minimal information in the HTTP headers helps maintain a stronger security posture.
The ServerSignature and ServerTokens directives manage how much internal data appears in the headers. Adjusting these directives reduces the exposed version and other identifying markers. Restricting the displayed information to a bare minimum closes off potential attack vectors and aligns with established security best practices.
Steps to disable server signature for Apache:
- Launch terminal.
- Find the ServerSignature directive in the Apache configuration file.
$ sudo grep -nr ServerSignature /etc/{httpd,apache2} grep: /etc/httpd: No such file or directory /etc/apache2/conf-available/security.conf:22:#ServerSignature Off /etc/apache2/conf-available/security.conf:23:ServerSignature On /etc/apache2/conf-available/localized-error-pages.conf:31:# ServerAdmin email address regardless of the setting of ServerSignature. - Open the Apache configurtion file with the ServerSignature directive using your preferred text editor.
$ sudo vi /etc/apache2/conf-available/security.conf
- Set the ServerSignature directive to Off.
ServerSignature Off
Add a new line or uncomment the ServerSignature and set the value to Off.
- Find the ServerTokens directive in the Apache configuration file.
$ sudo grep -nr ServerTokens /etc/{httpd,apache2} grep: /etc/httpd: No such file or directory /etc/apache2/conf-available/security.conf:5:# ServerTokens /etc/apache2/conf-available/security.conf:11:#ServerTokens Minimal /etc/apache2/conf-available/security.conf:12:ServerTokens OS /etc/apache2/conf-available/security.conf:13:#ServerTokens Full - Open the Apache configurtion file with the ServerTokens directive using your preferred text editor.
$ sudo vi /etc/apache2/conf-available/security.conf
- Set the ServerTokens directive to Prod.
This directive configures what you return as the Server HTTP response Header. The default is 'Full' which sends information about the OS-Type and compiled in modules. Set to one of: Full | OS | Minimal | Minor | Major | Prod where Full conveys the most information, and Prod the least.
Add a new line or uncomment the ServerTokens and set the value to Prod.
- Save and exit the text editor.
- Restart the Apache service for the changes to take effect.
$ sudo systemctl restart apache2
- Verify that the server signature has been disabled by inspecting the HTTP headers in the response from your server.
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sun, 03 Sep 2023 04:04:41 GMT Server: Apache Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding Content-Type: text/html
The Server header should only display Apache now.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.