How To Hide Apache and PHP Version from HTTP Headers

When you are running a website or web application, it is essential to maintain the security and integrity of your server. One of the simplest yet most important steps is to hide your Apache and PHP version information from HTTP headers. By default, this information is exposed in HTTP response headers, potentially making your server more vulnerable to attacks.

In this article, we will show you how to hide Apache and PHP version information from HTTP headers to improve your server’s security.

Step 1: Understanding the Risks of Exposed Versions

Exposing version information of Apache and PHP may not seem like a significant security risk. However, it can make it easier for hackers to identify known vulnerabilities specific to those versions. By hiding this information, you are reducing the possibility of targeted attacks and potentially slowing down an attacker’s progress.

Step 2: Check Header Details

You can use the curl or wget command to fetch the header details of any website via the command line.

wget --server-response --spider http://your-domain.com/index.php 

Note the above details and keep them for comparison later. Let’s follow the steps to hide details.

Step 3: Hiding Apache Version Information

To hide Apache version information, you need to modify its main configuration file, typically located at “/etc/httpd/conf/httpd.conf” or “/etc/apache2/conf-enabled/security.conf”, depending on your system.

1. Open the Apache configuration file with a text editor, such as nano or vi:

   sudo nano /etc/httpd/conf/httpd.conf    ## Redhat systems 
   sudo nano /etc/apache2/conf-enabled/security.conf    ## Debian systems 
   

2. Locate the “ServerTokens” and “ServerSignature” directives. If they do not exist, add them to the file. Update these directives as follows:
   ServerTokens Prod ServerSignature Off

   1 2	ServerTokens Prod ServerSignature Off

   The “ServerTokens Prod” directive tells Apache to only display the word “Apache” without any version information. The “ServerSignature Off” directive disables the server signature in error pages.

3. Save and close the configuration file. After modifying the configuration file, you need to restart Apache for the changes to take effect:

   sudo systemctl restart httpd    ## Redhat systems 
   sudo systemctl restart apache2    ## Debian systems 
   

Step 4: Hiding PHP Version Information

To hide PHP version information, you need to modify the PHP configuration file, usually called php.ini, which can be found in different locations depending on your system.

1. Open the php.ini file with a text editor:

   sudo nano /etc/php/7.4/apache2/php.ini 
   

   Replace “7.4” with your PHP version if different.

2. Locate the “expose_php” directive. If it does not exist, add it to the file. Update this directive as follows:
   expose_php = Off

   1	expose_php = Off

   This setting disables exposing the PHP version in HTTP response headers.

   Save and close the configuration file.

3. After editing the php.ini file, restart the Apache service for the changes to take effect:

   sudo systemctl restart httpd     ## Redhat systems 
   sudo systemctl restart apache2    ## Debian systems 
   

Step 5: Verifying the Changes

To verify that the changes have been successfully applied, you can use an online HTTP header checker or a command-line tool like curl:

wget --server-response --spider http://your-domain.com/index.php 

Replace “your-domain.com” with your actual domain. The output should not contain any Apache or PHP version information

Additional Security Tips

While hiding Apache and PHP version information is a good starting point, there are other steps you can take to improve your server’s security:

1. Keep your software up to date: Regularly update your operating system, Apache, PHP, and any other software you have installed. This ensures that you have the latest security patches and fixes.
2. Disable unused modules: Only enable the Apache and PHP modules that you need for your web application. Disabling unnecessary modules reduces the attack surface.
3. Configure strict access permissions: Ensure that sensitive files and directories have strict access permissions, preventing unauthorized access.
4. Implement a Web Application Firewall (WAF): A WAF can help protect your web application from common attacks like SQL injection and cross-site scripting (XSS).
5. Use HTTPS: Encrypt the communication between your server and the clients by enabling HTTPS with a valid SSL certificate.

Conclusion

Hiding Apache and PHP version information from HTTP headers is a simple yet crucial step in securing your web server. By concealing this information, you make it more difficult for attackers to target known vulnerabilities in your software. Coupled with regular software updates, strict access permissions, and other security measures, you can significantly reduce your server’s exposure to potential attacks.