It all starts from here – whenever the client requests for a page, the server sends out response data (the actual content) and some response headers as well. The header contains information such as HTTP response status, Content-Type, Content-Length, Location of the requested page, response date and time, server information and informations generated by third party tools and plugins. For example, a default configuration of web server will send out critical informations such as web server version, name of the operating system, W3 Total Cache version (in case of using WordPress plugin), PHP version, Pagespeed version etc…
Here’s an example header response:
How to view response headers of a website?
Method 1: You can use Chrome Inspect element or Firebug extension.
Method 2: Using Curl command:
$ curl -is http://domain.com/ | head -20 HTTP/1.1 301 Moved Permanently Date: Tue, 07 Jul 2015 10:59:48 GMT Server: Apache/2.2.3 (CentOs) Location: http://domain.com X-Powered-By: W3 Total Cache/0.9.2.3 X-Powered-By: PHP/5.4.20 X-Pingback: http://domain.com/xmlrpc.php X-Mod-Pagespeed: 1.6.29.7-3343 Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1
Method 3: Using wget command
$ wget --server-response --spider http://domain.com Spider mode enabled. Check if remote file exists. --2015-07-07 17:09:52-- http://domain.com :::::::::::::::::::::::::::::::::::: HTTP/1.1 301 Moved Permanently Date: Tue, 07 Jul 2015 10:59:48 GMT Server: Apache/2.2.3 (CentOS) Location: http://domain.com X-Powered-By: W3 Total Cache/0.9.2.3 X-Powered-By: PHP/5.4.20 X-Pingback: http://domain.com/xmlrpc.php X-Mod-Pagespeed: 1.6.29.7-3343 Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1
Method 4: Using Telnet
You can telnet to a server on port 80 and send GET request as shown below.
# telnet www.domain.com 80 Trying 216.xx.xxx.xx... Connected to www.domain.com (216.xx.xxx.xx). Escape character is '^]'. GET / HTTP/1.1 Host: www.domain.com
You need to hit enter twice after Host: www.domain.com to see the response headers.
Below is the sample response header:
HTTP/1.1 200 OK Date: Fri, 27 Oct 2017 09:48:46 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2017-10-27-09; expires=Fri, 03-Nov-2017 09:48:46 GMT; path=/; domain=.domain.com Set-Cookie: NID=115=2ZkmDj7Xd8qci5tKQ5PNlNa5QS0556ExBPJzQOTUCA42fWSM1C5fkRsxxiWlIHrpFM3Q_rxDpRvF4qjFRPpuiUBRFcQxH5f8g7gkFDEqNH_aKi8LZuuohJbX7cWj_uLu; expires=Sat, 28-Apr-2018 09:48:46 GMT; path=/; domain=.domain.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked
From the above examples, you can see information such as Apache version, operating system name, PHP version, Pingback URL, Mod-Pagespeed version etc…It doesn’t stop there, sometimes third party tools and plugins might push few information into headers and that are visible publicly.
It’s a good practice to hide those information using Apache Header Directive. The apache header directive will be processed before the server responds to the client and hence it allows you to set or unset response headers.
To do that, you need headers_module. Check if your webserver has Header module installed using the below command:
# /usr/sbin/httpd -M
You will find more information about Apache Modules and list of enabled modules here!
You should never be loading too many modules that are not required for your server. Too many modules, too many problems. Learn to list all modules loaded by PHP and disable unwanted ones to secure your website.
Turn Off Apache Signature information
Open httpd.conf file as below:
# vim /etc/httpd/conf/httpd.conf
Make sure, you set the values of ‘ServerSignature‘ and ‘ServerTokens‘ as below:
ServerSignature Off ServerTokens Prod
Restart the web server as below:
# /etc/init.d/httpd restart
Turn Off PHP version information
Open php.ini file as below:
# vi /etc/php.ini
Make sure ‘expose_php‘ is turned Off as below:
expose_php = Off
Restart web server as below:
# /etc/init.d/httpd restart
Now, lets go ahead and remove some of the unwanted response headers:
Set or Unset Apache response headers
Copy and paste the below lines in httpd.conf or .htaccess
<IfModule mod_headers.c> Header unset Server Header always unset X-Powered-By Header unset X-Powered-By Header unset X-CF-Powered-By Header unset X-Mod-Pagespeed Header unset X-Pingback </IfModule>
Restart web server as below:
# /etc/init.d/httpd restart
That’s it! After restarting the web server, the headers_module will unset headers such as ‘Server’, ‘X-Powered-By’, ‘X-CF-Powered-By’, ‘X-Mod-Pagespeed’, ‘X-Pingback’ before sending out the response.
Note: You cannot completely remove ‘Server‘ from response data – you’ll still ‘Server: Apache‘ in the response headers. Also you may need to use ‘Header always unset X-Powered-By‘ to remove headers generated by CGI.
Bonus…
A Complete Guide to Secure your WordPress, Web Server and Database!
Also Download ebook on : WordPress Optimization.
doesn’t work
All of these tutorials are editing the wrong file. It’s NOT apache/conf/httpd.conf
SOLUTION:
You need to edit apache/conf/extra/httpd-default.conf
When you open it you will see the variable you were adding to the wrong file. Remove them from the httpd.conf file.
Remember you must restart your Apache server for this to work.
Hope that helps.
Thanks Rany.
The location of the configuration file changes based on the installation. Some versions install the configuration file under /etc/ folder and new versions of Apache places the configuration file in apache folder
Header unset Server is not working,
Hello,
I get x-proxy-cache: MISS – in my wordpress blog that operate on apache server. whats the cause of this.
Hi, I am so thankful to you about this blog! I was searching for this header unset thing but none of the options were actually working!
I just applied your option and worked like a charm!
Thank you once more!
Hello Sir
Greetings!
I have tried to follow you in above given helps.
Most of the work happen nicely version are hidden now.
But i want to hide this one as well.
Server: Apache
Server: gws
please help me bit more about it.