Debian Admin

Debian/Ubuntu Linux System Administration Tutorials,Howtos,Tips

  • RSS Subscribe

    subscribe to the Debian Admin RSS feed

  • Sponsors



  • Categories

  • Sponsors

  • Support DebianAdmin

    Amount $:
    Website(Optional):


  • Meta

  • Archives



« Detect content format of a disk or disk image Using disktype
Pain of the LVM and Fix »

Apache Tips:Hide Apache Information & PHP software version

Posted by Admin on March 1st, 2007

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

By default, Apache will send version and modules information (e.g., mod_php, mod_perl, mod_ssl) in every HTTP header.

If you want to view Apache web server version and sofware of a remove server you follow this procedure

telnet www.example.com 80
Trying www.example.com.com…
Connected to www.example.com.
Escape character is ‘^]’.
HEAD / HTTP/1.0 <- after this press 2 times ENTER

HTTP/1.1 200 OK
Date: Fri, 09 Jan 2007 18:18:26 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b
Connection: close
Content-Type: text/html; charset=UTF-8

Connection closed by foreign host.

In the above example it is showing all the details about your web server and php this is not recommended for security reasons.We need to hide this information with the following procedure.

Hide Apache Information

To hide the information, add the following two apache directives in Apache configuration file /etc/apache2/apache2.conf

ServerTokens ProductOnly

ServerSignature Off

Now you need to restart your web server using the following command

#/etc/init.d/apache2 restart

Now the output for apache header looks like below

Server: Apache

Hide PHP Version Details

If you want to hide the PHP version you need to edit the /etc/php4/apache/php.ini(For php4 users) file and /etc/php5/apache/php.ini (For php5 users)

Change the following option

expose_php On

to

expose_php Off

Now you need to restart your web server using the following command

#/etc/init.d/apache2 restart

After making this change PHP will no longer add it’s signature to the web server header.

If you are running php from cli against a php file, the output is a html file (as seen by a browser). In some distributions (like Debian) the php-cli is controlled by a different php.ini file (/etc/php[4,5]/cli/php.ini).

  • Share/Save/Bookmark

You can leave a response, or trackback from your own site.

4 Responses to “Apache Tips:Hide Apache Information & PHP software version”

  1. Apache Says:
    March 4th, 2007 at 4:28 pm

    You could also use mod_headers to modify the response headers sent.

  2. redline Says:
    March 16th, 2007 at 12:29 pm

    I’m always using “ServerSignature Off” for Apache, but the info about PHP is new for me. Thanx!

  3. Johny Says:
    January 27th, 2009 at 5:13 pm

    Nice how-to thanks!

  4. yasantha Says:
    May 15th, 2009 at 7:25 am

    Thanks. After doing the above setup, the version details are not shown. But is there any way to hide (or change) the server name (Server: Apache). I want to change the server name also to something else. If that’s possible, pls let us know.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Detect content format of a disk or disk image Using disktype
Pain of the LVM and Fix »