Windows VPS Hosting
Linux VPS Hosting
In this security-related guide, we will show you how to disable Apache and PHP versions from being disclosed in HTTP headers. While not a security threat itself, by default Apache sends version info about the software running on the server in every HTTP header. An “investigative user” could use this information to determine that your server is running Apache, PHP, and OpenSSL, in addition to the specific releases of each software. To hide this info from users, you will need to modify httpd.conf and php.ini.
How to Hide Apache and PHP Versions in HTTP Headers
1. First, log in to your Linux server or VPS via shell (SSH) with root privileges. 2. Locate your httpd.conf file, the main configuration file for Apache, sometimes called apache2.conf. Add the following lines to the bottom of the file:
ServerTokens ProductOnly
ServerSignature Off
3. Locate your php.ini file, the main configuration file for PHP. Search for the directive “expose_php” and change it from On to Off. 4. Restart Apache by running one of the following commands as needed: service httpd restart
/etc/init.d/apache2 restart
That’s it! You can test the modification in 2 ways:
- Navigate to a random, non-existent page on your website, in order to generate a 404 error. The server signature including version info should not be printed at the bottom of the error.
- In a terminal or command prompt, run “telnet www.yoursite.com 80”. When it connects, type “HEAD / HTTP/1.0″ and press Enter once or twice. The server signature including version info should not be returned, and the connection will close after several seconds.
This guide applies to:
