Menu

How To Hide Apache and PHP Version from HTTP Headers

Written by , Updated on May 9, 2020
, , , ,

Website security is the most important and critical component of web hosting. The cyber attacks may damage your application. This tutorial will help you to hide Apache/PHP version details from end-users. Before making the change first use below command to view what information server sending an HTTP header.

Step 1 – Check Header Details

You can use curl or wget command to fech head details of any website via command line.

wget --server-response --spider http://example.com/index.php

Note the above details and keep for comparing later. Let’s follow the steps to hide details.

Step 2 – Hide Apache Server Details

First of all, find and edit Apache configuration file on your system. The Apache configuration file can be find at the following location.

Configuration Files

  • CentOS/Fedora/Redhat – /etc/httpd/conf/httpd.conf
  • Ubuntu/Debian/Linuxmint – /etc/apache2/conf-enabled/security.conf

Setup ServerTokens Directive

The ServerTokens directive controls whether Server response header field which is sent back to clients includes the generic OS details.

There are following options can be configured with the response values when using that. Use one of below on basis of the server.

ServerTokens Prod    # Server sends (e.g.): Server: Apache

click here for more option’s to use with ServerTockens directive

Setup ServerSignature Directive

The ServerSignature configures the footer on server-generated documents. Edit Apache configuration file and search ServerSignature directive and update it. Read More about ServerSignature

ServerSignature  Off

Step 3 – Hide PHP Version

By Default PHP installation exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (Eg:, X-Powered-By: PHP/7.2.0-2+ubuntu16.04.1+deb.sury.org+2). Read More

Configuration File-

  • CentOS/Fedora/Redhat – /etc/php.ini
  • Ubuntu/Debian/Linuxmint – /etc/php/7.2/apache2/php.ini

To hide this values from header edit php.ini and update below directive to Off

expose_php = Off

Step 4 – Reload Apache and Verify Settings

Restart Apache server to reload changes.

sudo sytemctl restart httpd.service        ## Redhat systems 
sudo sytemctl restart apache2.service      ## Debian systems

You have made the necessary changes in your server. Now again use below command after making all changes and compare the output with earlier results.

wget --server-response --spider http://example.com/index.php

Rahul
Rahul
Connect on Facebook Connect on Twitter

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

Related Posts

3 Comments

  1. Avatar Mainul Reply to Mainul
    September 10, 2019 at 7:20 am

    Very Nice Bro

  2. Avatar Website Design Oakville Reply to Website
    October 18, 2018 at 1:57 am

    Pretty nice post. I discovered your weblog and
    wished to say just
    that I’ve really enjoyed surfing around your blog
    posts. In any full case
    I’m going to be subscribing to your rss feed (hopefully I could find it) and I am hoping
    you soon write again very!

  3. Avatar f 3 r y Reply to f
    October 21, 2014 at 9:21 pm

    hi how can i remove server header complete when using ServerTokens Prod its set server header to Apache!! i want to remove this or replace that.
    thanks for your nice site.

Leave a Reply

Copyright © 2013-2020 TecAdmin.net. All Rights Reserved. This site uses cookies. By using this website you agree with our term and services