This is why you may want to hide Apache web server and PHP versions used on your server in times when cybersecurity is a major cause for concern.
The reason why you may want to do this is that potential hackers can use that information to exploit known security holes in vulnerable releases.
It is therefore advisable as a step to harden your server and expose as little as possible about your server to the general public.
You can use the command below to view what information your server is sending to end-users in the HTTP headers.
$ wget --server-response --spider http://example.com/part of your response will contain the headers similar to this:
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
Date: Thu, 11 Jun 2020 09:52:58 GMT
Server: Apache/2.4.43 (Ubuntu)
X-Powered-By: PHP/7.4.0+ubuntu18.04.1+deb
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: https://toshiba.main/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1Now that you have gotten a view of the current headers sent, you are ready to begin hiding the Apache/PHP headers
Step 1: Hide Apache Server Details
Open the Apache configuration file on your system. The Apache configuration file can be found at the following location:
CentOS/Fedora/Redhat based distros
$ sudo nano /etc/httpd/conf/httpd.confOn Ubuntu/Debian based distros
$ sudo nano /etc/apache2/conf-enabled/security.confServerTokens Directive
We are then going to set up the ServerTokens directive. This directive controls whether the response header which is sent back to clients includes the generic OS details.
Here you can use one of the following options Full, Prod, Major, Minor, Min, or OS as specified in the official Apache documentation found here.
in our example, we use Prod to display minimal information.
ServerTokens Prod # Result is Server: ApacheServerSignature Directive
Next, we need to set up the ServerSignature directive. This one configures whether server information will be displayed in the footer on server-generated documents such as the 404 error page.
To set this directive uses the same Apache configuration file and search ServerSignature directive and update it as shown below.
ServerSignature OffSave and close the file. You can find out more about the ServerSignature Directive here.
Step 2: Hide the PHP Version
By default PHP installation exposes to the world that PHP is installed on the server within the HTTP header e.g., X-Powered-By: PHP/7.4.0.
You can disable this behavior by editing the PHP configuration files used in your system. Open the relevant php.ini files below
CentOS/Fedora/Redhat based distros
$ sudo nano /etc/php.iniOn Ubuntu/Debian based distros
$ sudo nano /etc/php/7.4/apache2/php.iniNote the version number in the Ubuntu/Debian distros. Search for the directive below and set it to Off.
expose_php = OffFinally: Restart Apache and Verify Settings
CentOS/Fedora/Redhat based distros
$ sudo sytemctl restart httpdOn Ubuntu/Debian based distros
$ sudo sytemctl restart apache2Query the server again
$ wget --server-response --spider http://example.com/In the server response, confirm that X-Powered-By is no longer displayed and the Server: Apache is what is displayed as the server without any other version information.
Conclusion.
That is how to hide Apache and PHP versions from the world on your server. Be sure to repeat the same process if you are running multiple PHP versions on your server by changing the PHP version number in Step 2.
Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.