Basic Security Tips to Hide Apache/PHP Version

Written by
Rahul K.
Security, Web Servers 1 Comment

This article will help you to hide Apache/PHP version details from end users. Before making change first use below command to view that what information server sending in HTTP header.

# wget --server-response --spider http://local.tecadmin.net

--17:54:02--  http://local.tecadmin.net/
Resolving local.tecadmin.net... 192.168.1.11
Connecting to local.tecadmin.net|192.168.1.11|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Mon, 07 Oct 2013 07:17:01 GMT
   Server: Apache/2.2.15 (CentOS)
  X-Powered-By: PHP/5.4.20       
  Connection: close
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text language="/html"][/text]
200 OK

Note the above details and keep for comparing later. Let’s follow the steps to hide details.

1. Hide Apache Server Information

Setup ServerTokens Directive:

The ServerTokens directive controls whether Server response header field which is sent back to clients includes the generic OS details. Read More about ServerTokens

There are following options can be configured with the response values when use that. Use one of below on basis of server.

ServerTokens Prod    # Server sends (e.g.): Server: Apache

ServerTokens Major   # Server sends (e.g.): Server: Apache/2

click here for more option’s to use with ServerTockens directive

Setup ServerSignature Directive

The ServerSignature configures the footer on server-generated documents. Edit Apache configuration file and search ServerSignature directive and update it. Read More about ServerSignature

ServerSignature  Off

2. Hide PHP Version

By Default PHP installation exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (Eg:, X-Powered-By: PHP/5.4.20). Read More

To hide this values from header edit php.ini and update below directive to Off

expose_php = Off

3. Restart Apache and Verify Changes

Restart Apache server to reload changes.

# service httpd restart

You have make necessary changes in your server. Now again use below command after making all changes and compare output with earlier results.

# wget --server-response --spider http://wordpress.tecadmin.net

--18:22:20--  http://wordpress.tecadmin.net/
Resolving wordpress.tecadmin.net... 192.168.1.11
Connecting to wordpress.tecadmin.net|192.168.1.11|:80... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Mon, 07 Oct 2013 07:45:18 GMT
   Server: Apache      
  Connection: close
  Content-Type: text/html; charset=UTF-8
Length: unspecified [text language="/html"][/text]
200 OK

Rahul K.
Rahul K.
Connect on Facebook Connect on Twitter Connect on Google+

I, Rahul Kumar is the founder and chief editor of TecAdmin.net. I am Red Hat Certified Engineer (RHCE) and working as IT professional since 2009.

Related Posts

1 Comment

  1. f 3 r y Reply to f
    October 21, 2014 at 9:21 pm

    hi how can i remove server header complete when using ServerTokens Prod its set server header to Apache!! i want to remove this or replace that.
    thanks for your nice site.

Leave a Reply

All rights reserved. © 2017 TecAdmin.net. This site uses cookies. By using this website you agree our term and services
Hosted @DigitalOcean