Website security is the most important and critical component of web hosting and revealing Apache and PHP versions on the HTTP header helps hackers to attack your web server using version-specific security breaches. Earlier I had written an article on How to hide Nginx and PHP versions in the HTTP header. This tutorial will explain how to hide Apache & PHP versions in the HTTP header on the Apache webserver.
The HTTP header looks as below:
$ curl -I http://example.com or $ wget --server-response --spider http://example.com
HTTP/1.1 200 OK Date: Wed, 24 Nov 2021 10:28:32 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/8.1.0RC6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
Let’s now hide the Apache and PHP versions in the LAMP stack
How to hide Apache versions in the LAMP stack
Open your Apache configuration file
/etc/httpd/conf/httpd.conf (CentOS/Redhat) or
Configure ServerTokens Directive
ServerTokens directive controls whether the server response header field should include a description of the OS and other information about compiled-in modules.
There are many options that can be set for the
ServerTokens as below:
By default, the option is
Full, which should be changed to
Prod as shown below:
Server sends (e.g.):
Configure ServerSignature Directive
ServerSignature directive allows controlling the details of the server version number. There are a few options that can be set for the
ServerSignature as shown below:
By default, the option is Off. Make sure it remains Off by explicitly adding the directive to your
How to hide PHP versions in the LAMP stack
Open the file
/etc/php.ini and add
expose_php = Off. This will disable the PHP header information.
expose_php = Off
Restart Apache Server
Before restarting, verify the configuration file as below:
# apachectl configtest Syntax OK
If the syntax is OK, restart Apache server to take the new changes.
# systemctl restart httpd ## Redhat systems # systemctl restart apache2 ## Debian systems
Now your HTTP header should look as below:
HTTP/1.1 200 OK Date: Wed, 24 Nov 2021 10:28:32 GMT Server: Apache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
That’s it, the version info of Apache and PHP is no longer visible!