January 18, 2021



Apache – Turn off server signature

Hard-Disk-Server-iconHaving your server include a signature at the end of a web page can be a security risk. So turn off server signature before someone target your server. They will easily know what web server version and operating system you are using. And then use that information to search for exploits spesific to your version. So we better leave it out.Screen Shot 2015-06-06 at 11.41.35






By typing in a page we know doesn’t exist, for provoking a 404 page to display, we will here see Apache version, and that we are using Debian.

On a Debian based Linux distro (Ubuntu, Linux Mint, Etc) we open this file: /etc/apache2/apache2.conf
On a Red Hat based distro (Centos, Fedora, Arch) open this file: /etc/httpd/con/httpd.conf

Add these two lines to the end of the config:
ServerSignature Off
ServerTokens Prod

ServerSignature turns the signature off, but you still need to include the ServerTokens. It will still display the server signature if you dont include it.

You will need to restart the server to make your changes take effect.
Debian based: service apache2 restart
Red Hat/Centos: service httpd restart

Screen Shot 2015-06-06 at 11.46.51

Your web server signature should now be hidden. And this was how to turn off server signature on a Apache webserver.

Happy safe serving!