Apache server signature refers to the information included in the HTTP response headers, such as the Apache version and other server details. This information can potentially expose your server to security risks by revealing specifics that attackers could exploit. Disabling the server signature is a standard security measure to prevent the exposure of these details.

Hiding the server signature reduces the likelihood of targeted attacks by making it harder for attackers to identify the server's configuration. This process involves modifying the Apache configuration to control what information is displayed in the HTTP headers. By doing this, you can enhance your server's security posture.

To manage what details are shared, the Apache server uses the ServerSignature and ServerTokens directives. Adjusting these directives in the Apache configuration file allows you to minimize or eliminate the information provided in the HTTP headers, thereby securing your server against potential vulnerabilities.

Steps to disable server signature for Apache:

  1. Launch terminal.
  2. Find the ServerSignature directive in the Apache configuration file.
    $ sudo grep -nr ServerSignature /etc/{httpd,apache2}
    grep: /etc/httpd: No such file or directory
    /etc/apache2/conf-available/security.conf:22:#ServerSignature Off
    /etc/apache2/conf-available/security.conf:23:ServerSignature On
    /etc/apache2/conf-available/localized-error-pages.conf:31:# ServerAdmin email address regardless of the setting of ServerSignature.
  3. Open the Apache configurtion file with the ServerSignature directive using your preferred text editor.
    $ sudo vi /etc/apache2/conf-available/security.conf
  4. Set the ServerSignature directive to Off.
    ServerSignature Off

    Add a new line or uncomment the ServerSignature and set the value to Off.

  5. Find the ServerTokens directive in the Apache configuration file.
    $ sudo grep -nr ServerTokens /etc/{httpd,apache2}
    grep: /etc/httpd: No such file or directory
    /etc/apache2/conf-available/security.conf:5:# ServerTokens
    /etc/apache2/conf-available/security.conf:11:#ServerTokens Minimal
    /etc/apache2/conf-available/security.conf:12:ServerTokens OS
    /etc/apache2/conf-available/security.conf:13:#ServerTokens Full
  6. Open the Apache configurtion file with the ServerTokens directive using your preferred text editor.
    $ sudo vi /etc/apache2/conf-available/security.conf
  7. Set the ServerTokens directive to Prod.

    This directive configures what you return as the Server HTTP response Header. The default is 'Full' which sends information about the OS-Type and compiled in modules. Set to one of: Full | OS | Minimal | Minor | Major | Prod where Full conveys the most information, and Prod the least.

    Add a new line or uncomment the ServerTokens and set the value to Prod.

  8. Save and exit the text editor.
  9. Restart the Apache service for the changes to take effect.
    $ sudo systemctl restart apache2
  10. Verify that the server signature has been disabled by inspecting the HTTP headers in the response from your server.
    $ curl -I 127.0.0.1
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 04:04:41 GMT
    Server: Apache
    Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT
    ETag: "29af-603be4163c6a4"
    Accept-Ranges: bytes
    Content-Length: 10671
    Vary: Accept-Encoding
    Content-Type: text/html

    The Server header should only display Apache now.

Discuss the article:

Comment anonymously. Login not required.