In the default configuration of Apache, any page will contain a full signature of the server. Server signatures contain valuable information about installed software and can be read (and exploited) by worms and hackers. Therefore is it safer to turn off this behavior. This is how you do it:
Open Apache’s configuration file (httpd.conf or apache2.conf) and search for ServerSignature
ServerSignature can be set to On, Off or EMail. Set it to Off.
After that search for ServerTokens
ServerTokens can be set to:
- Prod (Server: Apache)
- Min (Server: Apache/1.3.0)
- OS (Server: Apache/1.3.0 (Unix))
- Full (Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2)
Set it to Prod, as you can see this reveals the least information.
If you use PHP on your webserver, another thing you can do is telling PHP not to show it’s version. To accomplish this, open PHP’s configuration file (php.ini), search for expose_php and set it Off.
Obvious, after making these changes, we have to reload Apache. On a Red Hat / CentOS machine we do this by invoking
service httpd reload
On a Ubuntu / Debian machine we do this by invoking