Improve Apache Web Server Security: Use ServerTokens and ServerSignature to Disable Header

»»»Improve Apache Web Server Security: Use ServerTokens and ServerSignature to Disable Header

When Apache HTTPD web server generates any web pages or error pages, some important information about the version and other details implemented on the system are displayed in the web site server header. For example, the information text may be like this:

Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/ mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b

Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80

The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.

To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

  1. Login as root user or perform a sudo to the web server.
  2. Open and edit httpd.conf or apache2.conf (in Apache 2) with vi or other text editor. The Apache configuration normally located in /etc/httpd/conf/ or /etc/apache2/ or /etc/apache/ (for Apache1.3) depending on which Unix you’re using.
  3. Locate the line with ServerTokens. You can perform a search by typing “/ServerTokes” and hit Enter.
  4. In Apache 1.3, you will likely to see a line starts with #ServerTokes Full In this case, remove or delete the # character (by pressing d key). Also modify the Full to become Prod (press r key to replace one character, or R to replace multiple characters), so that the line becomes ServerTokens Prod. In Apache 2.0 or 2.2, the line normally does not exist. So the search will fail. In this case, go to the bottom of config file, and add the new line with the following text. You can add new line by pressing o key.
    ServerTokens Prod
  5. Next, search for ServerSignature. In Apache13, the line should just above the line of ServerTokens. Edit the line so that it looks like this, and in Apache2 which doesn’t already have this line, add in at new one.
    ServerSignature Off
  6. By now the Apache configuration file should have this two directives set as below:

    ServerSignature Off
    ServerTokens Prod

    The first line “ServerSignature Off” instructs Apache not to display a trailing footer line under server-generated documents (error messages, mod_proxy ftp directory listings, mod_info output, and etc) which displays server version number, ServerName of the serving virtual host, email setting, and creates a “mailto:” reference to the ServerAdmin of the referenced document.

    The second line “ServerTokens Prod” configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

  7. Save and close the config file by pressing Shift-Colon, and then type wq keys, and hit Enter.
  8. Restart Apache. Typical command is service httpd restart or /etc/init.d/apache2 restart.
  9. Now, you will get only the Apache in the server response header:

    Server: Apache

By | 2017-03-20T18:21:01+00:00 March 20th, 2017|Categories: Web Servers|Tags: |18 Comments

About the Author:

LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.Connect with LK through Tech Journey on Facebook, Twitter or Google+.
  • It's really useful article to secure your dedicated web servers. The information provided is easy to make changes on the server.

  • Many thanks, i have been using the ServerSignature Off for long time now, but the second one is quite new.

    Do you know how you can actually edit the serversignature so you will decide which information to send in case of an error?

  • "ServerTokes"?? Is that some kind of Freudian slip?

  • namez

    hello! after ServerTokens Prod we have only text – apache
    it's cool! but how and where i can edit this text? =) for example : -)

    tnx! russia

  • Raynard

    Finally found the information I needed. Thanks for this.

  • IAmHe

    How might one apply this same concept to a Jetty web server?

  • Free

    Just applied Server signature off and token to our Apache through .htaccess file. It’s working.

  • Roger

    I can’t find the apache2.conf!?!

  • Jitesh Ghushe

    How to do with IIS

  • hc

    Know your site or blog’s page hit count using:

  • Mary Rax


    i am working on one of my client’s project which loads up very very slowly. I was going through the possible fix and came accross below one but not sure whether this would work or not. Can somebosy will help?

    How to fix – Page Cache Test (Server Side Caching)
    In order to pass this test you are advised to use a caching mechanism for your pages. There are three methods which can be used to caching your web pages:
    Alternative PHP caching
    – Alternative PHP Cache (APC) is an open source framework which caches data using intermediate PHP code. Most web programmers who are familiar with the PHP programming language can easily set up Alternative PHP Cache for your site.
    – Quickcache is a lightweight page caching solution which was formerly known as jpcache. Quickcache caches the page output rather than compiling the PHP page, making it a superior version of page caching to the Alternative PHP caching. Quickcache can be quickly downloaded from their website and can reduce your page load time up to 80%.
    WP Super Cache
    – If you have a WordPress website, WP Super Cache can be installed within seconds and without no programming knowledge.

    Mary Rax

  • Mary Rax

    Yes, I did the same for my client’s project which had the issue of returning error pages e.g., 404 not found, i had to turned off the server signature as it was a great security risk as you are essentially telling attackers known vulnerabilities of your system therefore it is recommended for you to disable all web server signatures as part of server hardening process. Apache we server is worlds most used server as it works on all os and compatible with all languages like Perl, Python, Tcl, and PHP.

  • Ali

    Nice dat’s help my website so much.

  • How do we disable if we use hosting at godaddy


    • Ryan Christopher Smith

      You can’t. You need a different hosting company.

  • mengheang

    Can you explain me more about ServerTokens Prod work and example me?

  • mengheang

    can you explain me more about ServerTokens Prod work and example ?