Hiding the Apache Version from HTTP Header

Apache is a widely used open-source web server software that is capable of serving web content and managing incoming HTTP traffic. One of the features of Apache is its ability to include information about the server software in the HTTP headers of its responses. By default, Apache includes the version number of the server software in the “Server” header field of HTTP responses. However, this information can be used by attackers to identify the web server software and to search for vulnerabilities that are specific to that software version. As a result, it is important to hide the Apache version number from HTTP headers to prevent potential attacks.

There are several methods that can be used to hide the Apache version number from HTTP headers:

Step 1: Check Current Apache (HTTPD) Headers

You can use the curl command line utility to check HTTP header values on your Apache web servers. Run the command as below:

curl -I http://172.24.248.89 

Replace 172.24.248.89 with your web server IP address.

Step 2: Hiding the Apache Version

The simplest way to hide the Apache version number is to use the “ServerTokens” directive in the Apache configuration file. This directive controls the information that is included in the “Server” header field. By setting the “ServerTokens” directive to “Prod”, Apache will only include the name of the server software in the “Server” header field and will not include the version number.

Edit Apache confgiuration file “/etc/httpd/conf/httpd.conf” (for RHEL-based systems) or “/etc/apache2/conf-enabled/security.conf” (for Debian-based systems) and update/append following values:

Regardless of the method used, hiding the Apache version number from HTTP headers is an important step in enhancing the security of your web server. By hiding the Apache version number, you can prevent attackers from using it to identify vulnerabilities in your web server software.

Step 3: Verify Apache (HTTPD) Headers

After making necessary changes, restart Apache service and again check for HTTP headers.

curl -I http://172.24.248.89 

You will see that Apache version is hidden now.

Conclusion

In conclusion, hiding the Apache version number from HTTP headers is a simple but effective way to improve the security of your web server. There are several methods that can be used to hide the version number, including using the “ServerTokens” directive, using a custom module, or modifying the Apache source code. Regardless of the method used, it is important to take the necessary steps to hide the Apache version number to prevent potential attacks against your web server.