Hiding Apache and PHP version information from your server http response headers

Whenever you make a http request, you send a request header to the server containing details on what the browser wants and will accept from the server. The server in turn responds with a response header. Apache servers share more information than you may like in your http response headers.

While it’s not sensitive information it does by default share your Apache version. This applies to PHP as well.

The problem arises when exploits are found specific to build versions. Making this information so easily available makes it more likely you will be identified and targeted than if the information is not shared. As an example this page shows a breakdown of Apache Vulnerabilities by each version.

Best practise dictates that this information be removed from all server response headers. It’s okay to send general information such as the fact your are using Apache, but sending the version number and PHP version number should be disabled in the server settings.

To illustrate the default headers returned by your apache2 server, I set up Apache2/PHP on a new Ubuntu server.

Highlighted below are the version details returned by each server response header.

Apache response headers

Turning off Apache2 and PHP version details in your server response headers

There are two settings to configure.

The ServerSignature directive is used to configure the trailing footer that appears on server generated documents such as directory listings and error 404 pages. When this is set to on a trailing line is added to pages with the server version number and other things such as webmaster email (if specified).

The ServerTokens directive has a few more options. The best choice is Prod which will just show Apache, however I have listed all the options below for your reference..

ServerTokens Full (or not specified)
- Server sends (e.g.): Server: Apache/2.4.2 (Unix) PHP/4.2.2  MyMod/1.2

ServerTokens Prod[uctOnly]
- Server sends (e.g.): Server: Apache

ServerTokens Major
- Server sends (e.g.): Server: Apache/2

ServerTokens Minor
- Server sends (e.g.): Server: Apache/2.4

ServerTokens Min[imal]
- Server sends (e.g.): Server: Apache/2.4.2

ServerTokens OS
- Server sends (e.g.): Server: Apache/2.4.2 (Unix)

##Making the changes to your server

Open you apache2.conf file

vi /etc/apache2/apache2.conf

Look for the words ServerSignature and ServerTokens. If they are found edit them to look like below. If the aren’t found, add these two lines to the bottom of the file:

ServerSignature Off
ServerTokens Prod

For PHP we will edit the PHP.ini file

vi /etc/php5/apache2/php.ini

Look for the word expose_php. If found update to look like below. If it isn’t add this line to the bottom of your PHP.ini file.

expose_php = Off

That’s all! After this, restart your apache2.

sudo service apache2 restart

Now your server response headers should look like this.

Apache response headers

You will see compared to the example I posted above that it no longer contains Apache and PHP version information. Perfect!