Disable Apache ServerSignature/ServerTokens/PHP X-Powered-By details

Q. While browsing I’m seeing server’s sensitive information. Is it possible to disable them?

Yup, it’s possible. The only thing you need to do is edit the web server (Apache) configuration file as I explained in this Blog article. In Apache, the following directives, ServerSignature and ServerTokens manage this option. Here I’m explaining this concept with different examples. If you’ve control panels like cPanel/WHM installed on the server, you can edit this feature simply from the control panel itself. There is no need to worry about editing the configuration file manually.

Disabling these features will increase total server security.

Here we go!

Requirements

  1. Root access to server.
  2. Knowledge about editing Apache conf file. You can use your favorite command-line tool to edit the configuration file.  Apache configuration file is “/etc/httpd/conf/httpd.conf

About the directives

1. ServerSignature : This Apache directive is responsible to generate a trailing footer line along with the server version number and ServerName for server generated pages, ie error pages, not found (404) pages etc. By-default it’s disabled on the Apache configuration. That means it does not displays any sensite information on web browsers while generating error pages.

Default value

ServerSignature Off

To enable ServerSignature

Edit the Apache configuration file and change set this directive On.

ServerSignature On

The images below show a not found (404) page from a web server with and without ServerSignature enabled.

Server with default settings (Off)

ServerSignature1

Server with ServerSignature directive On

ServerSignature2

You can also add Email link to this error page by enabling the following directive:

ServerSignature Email
P.S don't forget to restart the Apache web-server after editing the configuration file.

For CentOS and RHEL server, use the following command to restart the Apache daemon:

systemctl restart httpd

This can also be done from the CLI (Command Line Interface). Use the following command to test this:

lynx -head -mime_header http://ser.ver.ip.addr

2. ServerTokens : This directive controls the responses which server sends to include the server details, OS and other complied modules. A lot of options are available with this directive. Please see the table for more details:

ServerTokens ValueThe value server sends
Prod (or ProductOnly)Server: Apache
MajorServer: Apache/2
MinorServer: Apache/2.4
Min (or Minimal)Server: Apache/2.4.6
OSServer: Apache/2.4.6 (CentOS)
FullServer: Apache/2.4.6 (CentOS) PHP/5.2.17

Example

ServerTokens Prod

Then, how to hide PHP version (X-Powered-By)?

This can be disabled for the PHP configuration file. Execute the command “php –ini” command to load configuration file for PHP installation.

expose_php = Off

That’s it dude!! Let’s rock!

, ,

Post navigation

Arunlal A

Senior System Developer at Zeta. Linux lover. Traveller. Let's connect! Whether you're a seasoned DevOps pro or just starting your journey, I'm always eager to engage with like-minded individuals. Follow my blog for regular updates, connect on social media, and let's embark on this DevOps adventure together! Happy coding and deploying!

Leave a Reply

Your email address will not be published. Required fields are marked *