When you are running a website or web application, it is essential to maintain the security and integrity of your server. One of the simplest yet most important steps is to hide your Apache and PHP version information from HTTP headers. By default, this information is exposed in HTTP response headers, potentially making your server more vulnerable to attacks.
In this article, we will show you how to hide Apache and PHP version information from HTTP headers to improve your server’s security.
Step 1: Understanding the Risks of Exposed Versions
Exposing version information of Apache and PHP may not seem like a significant security risk. However, it can make it easier for hackers to identify known vulnerabilities specific to those versions. By hiding this information, you are reducing the possibility of targeted attacks and potentially slowing down an attacker’s progress.
Step 2: Check Header Details
You can use the curl or wget command to fetch the header details of any website via the command line.
wget --server-response --spider http://your-domain.com/index.php
Note the above details and keep them for comparison later. Let’s follow the steps to hide details.
Step 3: Hiding Apache Version Information
To hide Apache version information, you need to modify its main configuration file, typically located at “/etc/httpd/conf/httpd.conf” or “/etc/apache2/conf-enabled/security.conf”, depending on your system.
- Open the Apache configuration file with a text editor, such as nano or vi:
sudo nano /etc/httpd/conf/httpd.conf
## Redhat systems sudo nano /etc/apache2/conf-enabled/security.conf
## Debian systems - Locate the “ServerTokens” and “ServerSignature” directives. If they do not exist, add them to the file. Update these directives as follows:12ServerTokens ProdServerSignature Off
The “ServerTokens Prod” directive tells Apache to only display the word “Apache” without any version information. The “ServerSignature Off” directive disables the server signature in error pages.
- Save and close the configuration file. After modifying the configuration file, you need to restart Apache for the changes to take effect:
sudo systemctl restart httpd
## Redhat systems sudo systemctl restart apache2
## Debian systems
Step 4: Hiding PHP Version Information
To hide PHP version information, you need to modify the PHP configuration file, usually called php.ini, which can be found in different locations depending on your system.
- Open the php.ini file with a text editor:
sudo nano /etc/php/7.4/apache2/php.ini
Replace “7.4” with your PHP version if different.
- Locate the “expose_php” directive. If it does not exist, add it to the file. Update this directive as follows:1expose_php = Off
This setting disables exposing the PHP version in HTTP response headers.
Save and close the configuration file.
- After editing the php.ini file, restart the Apache service for the changes to take effect:
sudo systemctl restart httpd
## Redhat systems sudo systemctl restart apache2
## Debian systems
Step 5: Verifying the Changes
To verify that the changes have been successfully applied, you can use an online HTTP header checker or a command-line tool like curl:
wget --server-response --spider http://your-domain.com/index.php
Replace “your-domain.com” with your actual domain. The output should not contain any Apache or PHP version information
Additional Security Tips
While hiding Apache and PHP version information is a good starting point, there are other steps you can take to improve your server’s security:
- Keep your software up to date: Regularly update your operating system, Apache, PHP, and any other software you have installed. This ensures that you have the latest security patches and fixes.
- Disable unused modules: Only enable the Apache and PHP modules that you need for your web application. Disabling unnecessary modules reduces the attack surface.
- Configure strict access permissions: Ensure that sensitive files and directories have strict access permissions, preventing unauthorized access.
- Implement a Web Application Firewall (WAF): A WAF can help protect your web application from common attacks like SQL injection and cross-site scripting (XSS).
- Use HTTPS: Encrypt the communication between your server and the clients by enabling HTTPS with a valid SSL certificate.
Conclusion
Hiding Apache and PHP version information from HTTP headers is a simple yet crucial step in securing your web server. By concealing this information, you make it more difficult for attackers to target known vulnerabilities in your software. Coupled with regular software updates, strict access permissions, and other security measures, you can significantly reduce your server’s exposure to potential attacks.
5 Comments
Very helpful did the Job in one Go
Thanks its helpful for me.
Very Nice Bro
Pretty nice post. I discovered your weblog and
wished to say just
that I’ve really enjoyed surfing around your blog
posts. In any full case
I’m going to be subscribing to your rss feed (hopefully I could find it) and I am hoping
you soon write again very!
hi how can i remove server header complete when using ServerTokens Prod its set server header to Apache!! i want to remove this or replace that.
thanks for your nice site.