{"id":492847,"date":"2022-09-14T03:48:58","date_gmt":"2022-09-14T00:48:58","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-hide-apaches-version-number-and-operating-system-information\/"},"modified":"2022-09-14T03:48:58","modified_gmt":"2022-09-14T00:48:58","slug":"how-to-hide-apaches-version-number-and-operating-system-information","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/","title":{"rendered":"#How to Hide Apache\u2019s Version Number and Operating System Information"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2432ab33624\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2432ab33624\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/#%E2%80%9CHow_to_Hide_Apaches_Version_Number_and_Operating_System_Information%E2%80%9D\" >&#8220;How to Hide Apache\u2019s Version Number and Operating System Information&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/#Whats_the_Problem\" >What\u2019s the Problem?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/#Disabling_the_Server_Signature\" >Disabling the Server Signature<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/#Managing_Server_Tokens\" >Managing Server Tokens<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/#What_About_PHP\" >What About PHP?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-hide-apaches-version-number-and-operating-system-information\/#Summary\" >Summary<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CHow_to_Hide_Apaches_Version_Number_and_Operating_System_Information%E2%80%9D\"><\/span>&#8220;How to Hide Apache\u2019s Version Number and Operating System Information&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-831960\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/09\/Apache.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Image showing the logo of the Apache server project\" width=\"1202\" height=\"677\"\/><\/p>\n<p>Apache is one of the most popular web servers but its default configuration contains questionable choices on many Linux distributions. Apache tends to advertise its specific version and the platform it\u2019s running on, information that could be valuable to attackers.<\/p>\n<p>This quick article will show you how to disable this output to help protect your server. There\u2019s usually no reason for it to be active and turning it off should only take a minute.<\/p>\n<h2 id=\"whats-the-problem\"><span class=\"ez-toc-section\" id=\"Whats_the_Problem\"><\/span>What\u2019s the Problem?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Here\u2019s a fresh Apache 2.4 installation displaying a directory index:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-831962\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/09\/Screenshot-from-2022-09-02-20-50-09.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Image of the default Apache index page showing the server signature\" width=\"960\" height=\"540\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The page\u2019s footer reveals the Apache version code, operating system name, and internal IP address and port number of your server.<\/p>\n<p>\u00a0<\/p>\n<p>These are potentially sensitive details. A zero-day vulnerability in Apache might affect only a small range of versions. By leaving this output turned on, you\u2019re displaying to the world whether your machine\u2019s at risk. This makes it much easier for attackers to identify your host as a potential target.<\/p>\n<p>Apache refers to this data as its \u201cserver signature.\u201d It\u2019s not confined to the directory index pages: the version code gets included in every HTTP response within the <code>Server<\/code> header:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-831963\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/09\/Screenshot-from-2022-09-02-20-57-33.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"image showing how Apache response headers include the server signature by default\" width=\"967\" height=\"514\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>It\u2019ll be present irrespective of the response\u2019s status code. Attackers can find your precise Apache version by simply pinging a request to your server, irrespective of whether they know a valid URL.<\/p>\n<h2 id=\"disabling-the-server-signature\"><span class=\"ez-toc-section\" id=\"Disabling_the_Server_Signature\"><\/span>Disabling the Server Signature<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There are two parts to disabling this unwanted output. First is the <code>ServerSignature<\/code> value in your Apache config file. The location of this file varies; <code>\/etc\/apache2\/apache2.conf<\/code> and <code>\/usr\/local\/apache2\/conf\/httpd.conf<\/code> are two common possibilities. The <code>ServerSignature<\/code> directive\u2019s also supported inside <code>.htaccess<\/code> files in your web root.<\/p>\n<p>Set the directive to <code>Off<\/code> to disable the signature that <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ears on server-generated webpages:<\/p>\n<pre>ServerSignature Off<\/pre>\n<p>Restart Apache to apply the change:<\/p>\n<pre>$ sudo service apache2 restart<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-831961\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-02-at-22-12-08-Index-of-_demo.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Image of the default Apache index page without the server signature\" width=\"960\" height=\"468\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This affects directory listings, Apache\u2019s default error pages, and other HTML output produced by the server. <code>Off<\/code> completely removes the signature line. The setting optionally supports a third value, <code>EMail<\/code>, that provides a link to send an email to the address defined by <code>ServerAdmin<\/code>:<\/p>\n<pre>ServerAdmin example@example.com&#13;\nServerSignature EMail<\/pre>\n<p>This replaces the Apache version information with the email link.<\/p>\n<h2 id=\"managing-server-tokens\"><span class=\"ez-toc-section\" id=\"Managing_Server_Tokens\"><\/span>Managing Server Tokens<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The content of the <code>Server<\/code> response header is controlled by a different setting, <code>ServerTokens<\/code>. This can only be set by your server\u2019s global configuration file. It\u2019s not supported inside <code>.htaccess<\/code> files.<\/p>\n<p>The default value is <code>Full<\/code> which presents the precise version string and operating system name observed in the example above. This can also include the version numbers of loaded modules and CGI content engines such as PHP.<\/p>\n<p>The following alternative values are supported:<\/p>\n<ul>\n<li><strong><code>Full<\/code><\/strong> \u2013 <code>Apache\/2.4.2 (Ubuntu)<\/code><\/li>\n<li><strong><code>Prod<\/code><\/strong> \u2013 <code>Apache<\/code><\/li>\n<li><strong><code>Major<\/code><\/strong> \u2013 <code>Apache\/2<\/code><\/li>\n<li><strong><code>Minor<\/code><\/strong> \u2013 <code>Apache\/2.4<\/code><\/li>\n<li><strong><code>Min<\/code><\/strong> \u2013 <code>Apache\/2.4.2<\/code><\/li>\n<li><strong><code>OS<\/code><\/strong> \u2013 Same as <code>Full<\/code> but without information about loaded modules<\/li>\n<\/ul>\n<p>The <code>Prod<\/code> choice is the safest value. You can think of it as <code>Production<\/code>, although it\u2019s actually short for <code>ProductOnly<\/code>. This server token means the <code>Server<\/code> header will only reveal you\u2019re using Apache, without any extra info about the release. Attackers will have to do more trial and error investigation to find exploitable vulnerabilities in your installation.<\/p>\n<p>Unfortunately there\u2019s no way to remove the <code>Server<\/code> header altogether. Apache actually <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/httpd.apache.org\/docs\/2.4\/mod\/core.html#servertokens\">maintains that<\/a> disabling it \u201cdoes nothing at all to make your server more secure\u201d and suggests use of <code>Min<\/code> to make it easier to debug interoperational problems.<\/p>\n<p>However most people never consume the <code>Server<\/code> header and it\u2019s always safest to advertise the least possible information about your system. While it won\u2019t prevent the exploit of vulnerabilities, <code>ServerTokens Prod<\/code> could deter attackers from making speculative attempts. It\u2019ll also make it harder for passersby to glean details of your tech stack\u2019s inner workings. It\u2019s only a small hardening but one day it could be the difference you need.<\/p>\n<h2 id=\"what-about-php\"><span class=\"ez-toc-section\" id=\"What_About_PHP\"><\/span>What About PHP?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Apache\u2019s often used in front of websites and applications powered by PHP. Unfortunately PHP has its own habit of providing its version number to the internet. It will appear in the <code>X-Powered-By<\/code> header of responses sent by your PHP code.<\/p>\n<p>You can turn this off by modifying your PHP configuration file with the following line:<\/p>\n<pre>expose_php = Off<\/pre>\n<p>The config file can usually be found at <code>\/etc\/php\/8.1\/apache2\/php.ini<\/code>. Replace <code>8.1<\/code> with the PHP version you\u2019re using. You\u2019ll need to restart your web server to apply the change.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Apache\u2019s default configuration exposes the precise version number of your server, as well as its operating system and IP address. This seemingly innocuous information can lend a helping hand to attackers looking for vulnerable servers.<\/p>\n<p>Turning off the server signature is a quick way to harden your environment. It\u2019s also a good idea to address similar information exposure from other software in your stack at the same time. PHP and some web frameworks come with similar vulnerabilities.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/devops\/how-to-hide-apaches-version-number-and-operating-system-information\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;How to Hide Apache\u2019s Version Number and Operating System Information&#8221; Apache is one of the most popular web servers but its default configuration contains questionable choices on many Linux distributions. Apache tends to advertise its specific version and the platform it\u2019s running on, information that could be valuable to attackers. This quick article will show&#8230;<\/p>\n","protected":false},"author":1,"featured_media":492848,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/09\/Apache.jpg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-492847","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/492847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=492847"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/492847\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/492848"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=492847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=492847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=492847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}