Remove Server Version Banner in Apache

Objective

To not expose the version of Apache the web server is running, which can aide attackers.

Solution

Go to Geek Flare’s Test Site and check your website’s HTTP Response Header . With a default Apache configuration, the HTTP Response Header will expose Apache’s version and OS

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips

Edit your Apache configuration file/etc/apache2/httpd.conf and add the following

ServerTokens Prod
ServerSignature Off

TheServerTokens will change Header to only display the web server type

The ServerSignature directive will remove the version information from the page generated by Apache.

Reload Apache

[root@nowherelan]# systemctl reload httpd.service

Check your website’s HTTP Response Header again. Now it should only show

Server: Apache

My System Configuration

  • CentOS 7
  • Apache 2.4

References

Leave a Reply

Your email address will not be published. Required fields are marked *