How to hide Apache and PHP versions
Why Hide Apache and PHP Versions?
Hiding Apache and PHP versions helps protect your web server. If attackers know exact versions, they can exploit known vulnerabilities. Hiding this info does not affect server performance but adds difficulty for hackers.
Checking Server Information
Let's see what information our servers reveal when trying to open a non-existent page or directory.
Windows with Apache 2.4:
No version or OS details are shown. It is good.
Linux Mint (Ubuntu) with Apache 2.4:
Here we see full Apache version and OS info. This is not secure.
Debian with Apache 2.2:
Again, all version info is exposed.
HTTP Headers Reveal More
Even on Windows, Apache sends detailed version info in HTTP headers.
Same with Linux Servers
Same result here. Versions are visible.
How to Hide Apache Version
Add the following lines to the Apache config file:
ServerSignature Off
ServerTokens ProdOn Windows
Find and open this file:
C:\Server\bin\Apache24\conf\httpd.confAdd the lines above, save, and restart Apache.
On Linux
For Debian/Ubuntu/Linux Mint:
$ sudo vi /etc/apache2/apache2.confFor CentOS/Fedora/RHEL/Arch:
$ sudo vi /etc/httpd/conf/httpd.confAdd:
ServerSignature Off
ServerTokens ProdRestart Apache:
$ sudo service apache2 restart # Debian/Ubuntu/Linux Mint
$ sudo service httpd restart # CentOS/RHEL 6
$ sudo systemctl restart httpd # Fedora/CentOS/RHEL 7+/Arch
Hiding PHP Version
Apache often includes PHP version in the HTTP response header ("X-Powered-By").
To hide it, open php.ini and set:
expose_php = OffOn Windows
Find and open:
C:\Server\bin\PHP\php.iniOn Linux
For Debian/Ubuntu/Linux Mint:
$ sudo vi /etc/php5/apache2/php.iniFor CentOS/Fedora/RHEL/Arch:
$ sudo vi /etc/php.iniSet:
expose_php = OffRestart Apache:
$ sudo service apache2 restart # Debian/Ubuntu/Linux Mint
$ sudo service httpd restart # CentOS/RHEL 6
$ sudo systemctl restart httpd # Fedora/CentOS/RHEL 7+/Arch
Tags: web, server, apache, http