Disable/hide apache version in headers?

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
How can we hide this?

On security tests it's not a very bad thing, but the server is displayed in headers like Apache/2.4.
The advise is to hide this but how can this be done?

I found an older thread where it was written one should edit the /etc/httpd/conf/extra/httpd-default.conf and set:
ServerSignature Off (I believe this is the default)
and
ServerTokens Prod (default is Major)
and restart httpd.

Now I tried this, and also tried Minor on Servertokens, but it does not change much, keeps stating "Server apache/2.4" in headers.

How can we hide this?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Hello Richard,

You've got right, the file conf/extra/httpd-default.conf is the only one which needs to be updated regarding the matter. If it did not hide Apache version in your case it might be because of either apache failed to restart or you have the same directive in another place.

Whether or not apache's version is hidden you can detect on a default error page of apache, i.e. 4xx error, in their default view without processing with PHP.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Hello Alex.

Seems indeed the case, changed it now and it is now only showing "Apache", which seems fine to me.

I presume to prevent overwriting I have to copy the current httpd-default.conf to the /usr/local/directadmin/custombuild/custom/ap2/conf/extra directory correct?
 

Richard8

Verified User
Joined
Jul 4, 2019
Messages
67
Hello Alex.

Seems indeed the case, changed it now and it is now only showing "Apache", which seems fine to me.

I presume to prevent overwriting I have to copy the current httpd-default.conf to the /usr/local/directadmin/custombuild/custom/ap2/conf/extra directory correct?
Old thread but similar situation:

My /usr/local/directadmin/custombuild/custom/ap2/ only contains configure.php72 (related to my build options), do I just mkdir conf and extra and add a file like httpd-default.conf10 so that I can set ServerTokens Prod persistent? That's the only extra line I need to change, but I need it to survive updates so I can execute it across all my DA servers.

Thanks,
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
That should be exactly httpd-default.conf, not httpd-default.conf10.

Create a directory structure, copy a file:

Code:
cd [COLOR=#333333]/usr/local/directadmin/custombuild/[/COLOR]
mkdir -p [COLOR=#333333]custom/ap2/conf/extra/
cp -p [/COLOR][COLOR=#333333]configure/ap2/conf/extra/[/COLOR][COLOR=#333333]httpd-default.conf [/COLOR][COLOR=#333333]custom/ap2/conf/extra/[/COLOR][COLOR=#333333]httpd-default.conf
Update the file and change the option to

Code:
[/COLOR][COLOR=#333333]ServerSignature Off
Restart Apache.[/COLOR]
 
Top