Website security is the most important and critical component of web hosting and revealing Apache and PHP versions on the HTTP header helps hackers to attack your web server using version-specific security breaches. Earlier I had written an article on How to hide Nginx and PHP versions in the HTTP header. This tutorial will explain how to hide Apache & PHP versions in the HTTP header on the Apache webserver.
The HTTP header looks as below:
$ curl -I http://example.com or $ wget --server-response --spider http://example.com
HTTP/1.1 200 OK Date: Wed, 24 Nov 2021 10:28:32 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/8.1.0RC6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
Let’s now hide the Apache and PHP versions in the LAMP stack
How to hide Apache versions in the LAMP stack
Open your Apache configuration file /etc/httpd/conf/httpd.conf (CentOS/Redhat) or /etc/apache2/conf-enabled/security.conf (Debian/Ubuntu)
Configure ServerTokens Directive
The ServerTokens directive controls whether the server response header field should include a description of the OS and other information about compiled-in modules.
There are many options that can be set for the ServerTokens as below:
ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full
By default, the option is Full, which should be changed to Prod as shown below:
ServerTokens Prod
Server sends (e.g.): Server: ApacheConfigure ServerSignature Directive
The ServerSignature directive allows controlling the details of the server version number. There are a few options that can be set for the ServerSignature as shown below:
ServerSignature On|Off|EMail
By default, the option is Off. Make sure it remains Off by explicitly adding the directive to your httpd.conf file.
ServerSignature Off
How to hide PHP versions in the LAMP stack
Open the file /etc/php.ini and add expose_php = Off. This will disable the PHP header information.
#vim /etc/php.ini
expose_php = Off
Run the command php -i | grep php.ini to find the configuration file path: Sample Output: Configuration File (php.ini) Path => /etc Loaded Configuration File => /etc/php.ini
Restart Apache Server
Before restarting, verify the configuration file as below:
# apachectl configtest Syntax OK
If the syntax is OK, restart Apache server to take the new changes.
# systemctl restart httpd ## Redhat systems # systemctl restart apache2 ## Debian systems
Now your HTTP header should look as below:
HTTP/1.1 200 OK Date: Wed, 24 Nov 2021 10:28:32 GMT Server: Apache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
That’s it, the version info of Apache and PHP is no longer visible!
