Home  »  ArticlesGuidesHow ToTechnology   »   How to Hide Apache and PHP Version From HTTP Headers

How to Hide Apache and PHP Version From HTTP Headers

This is why you may want to hide Apache web server and PHP versions used on your server in times when cybersecurity is a major cause for concern.

The reason why you may want to do this is that potential hackers can use that information to exploit known security holes in vulnerable releases.

It is therefore advisable as a step to harden your server and expose as little as possible about your server to the general public.

You can use the command below to view what information your server is sending to end-users in the HTTP headers.

$ wget --server-response --spider http://example.com/

part of your response will contain the headers similar to this:

HTTP request sent, awaiting response...
  HTTP/1.1 302 Found
  Date: Thu, 11 Jun 2020 09:52:58 GMT
  Server: Apache/2.4.43 (Ubuntu)
  X-Powered-By: PHP/7.4.0+ubuntu18.04.1+deb
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Location: https://toshiba.main/
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html; charset=iso-8859-1

Now that you have gotten a view of the current headers sent, you are ready to begin hiding the Apache/PHP headers

Step 1: Hide Apache Server Details

Open the Apache configuration file on your system. The Apache configuration file can be found at the following location:

CentOS/Fedora/Redhat based distros

$ sudo nano /etc/httpd/conf/httpd.conf

On Ubuntu/Debian based distros

$ sudo nano /etc/apache2/conf-enabled/security.conf

ServerTokens Directive

We are then going to set up the ServerTokens directive. This directive controls whether the response header which is sent back to clients includes the generic OS details.

Here you can use one of the following options Full, Prod, Major, Minor, Min, or OS as specified in the official Apache documentation found here.

in our example, we use Prod to display minimal information.

ServerTokens Prod   # Result is Server: Apache

ServerSignature Directive

Next, we need to set up the ServerSignature directive. This one configures whether server information will be displayed in the footer on server-generated documents such as the 404 error page.

To set this directive uses the same Apache configuration file and search ServerSignature directive and update it as shown below.

ServerSignature Off

Save and close the file. You can find out more about the ServerSignature Directive here.

Step 2: Hide the PHP Version

By default PHP installation exposes to the world that PHP is installed on the server within the HTTP header e.g., X-Powered-By: PHP/7.4.0.

You can disable this behavior by editing the PHP configuration files used in your system. Open the relevant php.ini files below

CentOS/Fedora/Redhat based distros

$ sudo nano /etc/php.ini

On Ubuntu/Debian based distros

$ sudo nano /etc/php/7.4/apache2/php.ini

Note the version number in the Ubuntu/Debian distros. Search for the directive below and set it to Off.

expose_php = Off

Finally: Restart Apache and Verify Settings

CentOS/Fedora/Redhat based distros

$ sudo sytemctl restart httpd

On Ubuntu/Debian based distros

$ sudo sytemctl restart apache2

Query the server again

$ wget --server-response --spider http://example.com/

In the server response, confirm that X-Powered-By is no longer displayed and the Server: Apache is what is displayed as the server without any other version information.


That is how to hide Apache and PHP versions from the world on your server. Be sure to repeat the same process if you are running multiple PHP versions on your server by changing the PHP version number in Step 2.

Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.

Available under:
Articles, Guides, How To, Technology