Server signature refers to the information sent by the Apache web server in the HTTP response headers. This information typically includes the Apache version and other details about the server. While this may seem harmless, it can provide potential attackers with valuable insights into your server configuration.
Disabling the server signature is a common security practice. By hiding the Apache version and other details, you make it more difficult for attackers to exploit known vulnerabilities specific to your server's configuration.
In Apache, the server signature is controlled by the ServerSignature and ServerTokens directives. By modifying these directives in the Apache configuration file, you can control what information, if any, is revealed in the HTTP headers.
$ sudo grep -nr ServerSignature /etc/{httpd,apache2} grep: /etc/httpd: No such file or directory /etc/apache2/conf-available/security.conf:22:#ServerSignature Off /etc/apache2/conf-available/security.conf:23:ServerSignature On /etc/apache2/conf-available/localized-error-pages.conf:31:# ServerAdmin email address regardless of the setting of ServerSignature.
$ sudo vi /etc/apache2/conf-available/security.conf
ServerSignature Off
Add a new line or uncomment the ServerSignature and set the value to Off.
$ sudo grep -nr ServerTokens /etc/{httpd,apache2} grep: /etc/httpd: No such file or directory /etc/apache2/conf-available/security.conf:5:# ServerTokens /etc/apache2/conf-available/security.conf:11:#ServerTokens Minimal /etc/apache2/conf-available/security.conf:12:ServerTokens OS /etc/apache2/conf-available/security.conf:13:#ServerTokens Full
$ sudo vi /etc/apache2/conf-available/security.conf
This directive configures what you return as the Server HTTP response Header. The default is 'Full' which sends information about the OS-Type and compiled in modules. Set to one of: Full | OS | Minimal | Minor | Major | Prod where Full conveys the most information, and Prod the least.
Add a new line or uncomment the ServerTokens and set the value to Prod.
$ sudo systemctl restart apache2
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sun, 03 Sep 2023 04:04:41 GMT Server: Apache Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding Content-Type: text/html
The Server header should only display Apache now.
Comment anonymously. Login not required.