Hide Apache and PHP versions from HTTP Headers

Updated on November 26, 2021

Website security is the most important and critical component of web hosting and revealing Apache and PHP versions on the HTTP header helps hackers to attack your web server using version-specific security breaches. Earlier I had written an article on How to hide Nginx and PHP versions in the HTTP header. This tutorial will explain how to hide Apache & PHP versions in the HTTP header on the Apache webserver.

The HTTP header looks as below:

$ curl -I http://example.com
or
$ wget --server-response --spider http://example.com
HTTP/1.1 200 OK
Date: Wed, 24 Nov 2021 10:28:32 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/8.1.0RC6
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Let’s now hide the Apache and PHP versions in the LAMP stack

How to hide Apache versions in the LAMP stack

Open your Apache configuration file /etc/httpd/conf/httpd.conf (CentOS/Redhat) or /etc/apache2/conf-enabled/security.conf (Debian/Ubuntu)

Configure ServerTokens Directive

The ServerTokens directive controls whether the server response header field should include a description of the OS and other information about compiled-in modules.

There are many options that can be set for the ServerTokens as below:

ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full

By default, the option is Full, which should be changed to Prod  as shown below:

ServerTokens Prod
Server sends (e.g.): Server: Apache

Configure ServerSignature Directive

The ServerSignature directive allows controlling the details of the server version number. There are a few options that can be set for the ServerSignature as shown below:

ServerSignature On|Off|EMail

By default, the option is Off. Make sure it remains Off by explicitly adding the directive to your httpd.conf file.

ServerSignature Off

How to hide PHP versions in the LAMP stack

Open the file /etc/php.ini and add expose_php = Off. This will disable the PHP header information.

#vim /etc/php.ini
expose_php = Off
How to find the php.ini file

Run the command php -i | grep php.ini to find the configuration file path: Sample Output: Configuration File (php.ini) Path => /etc Loaded Configuration File => /etc/php.ini

Restart Apache Server

Before restarting, verify the configuration file as below:

# apachectl configtest
Syntax OK

If the syntax is OK, restart Apache server to take the new changes.

# systemctl restart httpd       ## Redhat systems

# systemctl restart apache2     ## Debian systems

Now your HTTP header should look as below:

HTTP/1.1 200 OK
Date: Wed, 24 Nov 2021 10:28:32 GMT
Server: Apache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

That’s it, the version info of Apache and PHP is no longer visible!

Was this article helpful?

Related Articles

Leave a Comment