Disable Apache ServerSignature/ServerTokens/PHP X-Powered-By details
Q. While browsing I’m seeing server’s sensitive information. Is it possible to disable them?
Yup, it’s possible. The only thing you need to do is edit the web server (Apache) configuration file as I explained in this Blog article. In Apache, the following directives, ServerSignature and ServerTokens manage this option. Here I’m explaining this concept with different examples. If you’ve control panels like cPanel/WHM installed on the server, you can edit this feature simply from the control panel itself. There is no need to worry about editing the configuration file manually.
Disabling these features will increase total server security.
Here we go!
- Root access to server.
- Knowledge about editing Apache conf file. You can use your favorite command-line tool to edit the configuration file. Apache configuration file is “/etc/httpd/conf/httpd.conf“
About the directives
1. ServerSignature : This Apache directive is responsible to generate a trailing footer line along with the server version number and ServerName for server generated pages, ie error pages, not found (404) pages etc. By-default it’s disabled on the Apache configuration. That means it does not displays any sensite information on web browsers while generating error pages.
To enable ServerSignature
Edit the Apache configuration file and change set this directive On.
The images below show a not found (404) page from a web server with and without ServerSignature enabled.
Server with default settings (Off)
Server with ServerSignature directive On
You can also add Email link to this error page by enabling the following directive:
P.S don't forget to restart the Apache web-server after editing the configuration file.
For CentOS and RHEL server, use the following command to restart the Apache daemon:
systemctl restart httpd
This can also be done from the CLI (Command Line Interface). Use the following command to test this:
lynx -head -mime_header http://ser.ver.ip.addr
2. ServerTokens : This directive controls the responses which server sends to include the server details, OS and other complied modules. A lot of options are available with this directive. Please see the table for more details:
|ServerTokens Value||The value server sends|
|Prod (or ProductOnly)||Server: Apache|
|Min (or Minimal)||Server: Apache/2.4.6|
|OS||Server: Apache/2.4.6 (CentOS)|
|Full||Server: Apache/2.4.6 (CentOS) PHP/5.2.17|
Then, how to hide PHP version (X-Powered-By)?
This can be disabled for the PHP configuration file. Execute the command “php –ini” command to load configuration file for PHP installation.
expose_php = Off
That’s it dude!! Let’s rock!