How to Hide Apache Version Number and Other Sensitive Info

Read Time: 2 minsCategories Apache 15 Comments

When remote requests are sent to your Apache web server, by default, some valuable information such as the web server version number, server operating system details, installed Apache modules plus more, is sent along in server-generated documents back to the client.

Read Also: How to Hide Nginx Server Version in Linux

This is a good deal of information for attackers to exploit vulnerabilities and gain access to your web server. To avoid showing Web sever information, we will show in this article how to hide the information of Apache Web Server using particular Apache directives.

Suggested Read: 13 Useful Tips to Secure Your Apache Web Server

The two important directives are:

ServerSignature

Which permits the adding of a footer line showing server name and version number under server-generated documents such as error messages, mod_proxy ftp directory listings, mod_info output plus many more.

It has three possible values:

  1. On – which allows the adding of a trailing footer line in server-generated documents,
  2. Off – disables the footer line and
  3. EMail – creates a “mailto:” reference; which sends a mail to the ServerAdmin of the referenced document.
ServerTokens

It determines if the server response header field that is sent back to clients contains a description of the server OS-type and info concerning enabled Apache modules.

This directive has the following possible values (plus sample info sent to clients when the specific value is set):

ServerTokens   Full (or not specified) 
Info sent to clients: Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2 

ServerTokens   Prod[uctOnly] 
Info sent to clients: Server: Apache 

ServerTokens   Major 
Info sent to clients: Server: Apache/2 

ServerTokens   Minor 
Info sent to clients: Server: Apache/2.4 

ServerTokens   Min[imal] 
Info sent to clients: Server: Apache/2.4.2 

ServerTokens   OS 
Info sent to clients: Server: Apache/2.4.2 (Unix)

Note: After Apache version 2.0.44, the ServerTokens directive also controls the info offered by the ServerSignature directive.

Suggested Read: 5 Tips to Boost Performance of Apache Web Server

To hide web server version number, server operating system details, installed Apache modules and more, open your Apache web server configuration file using your favorite editor:

$ sudo vi /etc/apache2/apache2.conf        #Debian/Ubuntu systems
$ sudo vi /etc/httpd/conf/httpd.conf       #RHEL/CentOS systems

And add/modify/append the lines below:

ServerTokens Prod
ServerSignature Off

Save the file, exit and restart your Apache web server like so:

$ sudo systemctl restart apache2  #SystemD
$ sudo service apache2 restart     #SysVInit

In this article, we explained how to hide the Apache web server version number plus lots more info about your web server using certain Apache directives.

If you are running PHP in your Apache web server, I suggest you to Hide PHP Version Number.

As usual, you can add your thoughts to this guide via the comment section below.

If this article helped, with someone on your team.

TecMint Weekly Newsletter
Get the Learn Linux 7 Days Crash Course free when you join 34,000+ Linux professionals reading every Thursday.
Check your email for a magic link to get started.
Something went wrong. Please try again.
TecMint has been free for 14 years. Help keep it that way.
Google AI Overviews and tools like ChatGPT have cut into search traffic for independent tech sites like TecMint. Running this site costs over $2,000 every month for hosting, infrastructure, and paying authors to keep the content accurate and tested.

If this article helped you solve a problem, consider buying a coffee. It helps keep TecMint free, supports the authors, and keeps the project going.
☕ Buy Me a Coffee

Previous article:

Getting Started with Bitbucket for Version Control

Next article:

How to Hide PHP Version Number in HTTP Header
Photo of author
Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Related Posts

15 Comments

Leave a Reply

  1. Hello,

    How do I test using a command line to see if the Web Server is configured correctly and not advertising?

    Thank you
    Todd

    Reply

  2. Hi,

    I have modified ServerTokens Prod in ssl.conf file after that the apache server not started…

    Job for httpd.service failed because the control process exited with an error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

    Please help with this…

    Reply

  9. Easy and useful
    Thank you!

    I guess there is a typo here

    $ sudo systemctl apache2 restart  #SystemD
$ sudo service apache2 restart     #SysVInit

    should be
    $ sudo systemctl restart apache2 #SystemD
    $ sudo service apache2 restart #SysVInit

    Reply

    • @HugHich,

      Thanks for finding this article useful and easy to follow. Yes, your guess was right, that was a typo, corrected in the article..

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.

Free Course
Get a free Linux course before you go.
Subscribe to TecMint Weekly and get the Learn Linux 7 Days Crash Course free. Read by 34,000+ Linux professionals every Thursday.
Something went wrong. Please try again.
Check your email for a magic link to get started.