How to Hide Apache and PHP Version in HTTP Headers (Linux VPS/Server)

In this security-related guide, we will show you how to disable Apache and PHP versions from being disclosed in HTTP headers. While not a security threat itself, by default Apache sends version info about the software running on the server in every HTTP header. An “investigative user” could use this information to determine that your server is running Apache, PHP, and OpenSSL, in addition to the specific releases of each software. To hide this info from users, you will need to modify httpd.conf and php.ini.

How to Hide Apache and PHP Versions in HTTP Headers

1. First, log in to your Linux server or VPS via shell (SSH) with root privileges. 2. Locate your httpd.conf file, the main configuration file for Apache, sometimes called apache2.conf. Add the following lines to the bottom of the file:

ServerTokens ProductOnly

ServerSignature Off

3. Locate your php.ini file, the main configuration file for PHP. Search for the directive “expose_php” and change it from On to Off. 4. Restart Apache by running one of the following commands as needed: service httpd restart

/etc/init.d/apache2 restart

That’s it! You can test the modification in 2 ways:

  • Navigate to a random, non-existent page on your website, in order to generate a 404 error. The server signature including version info should not be printed at the bottom of the error.
  • In a terminal or command prompt, run “telnet 80”. When it connects, type “HEAD / HTTP/1.0″ and press Enter once or twice. The server signature including version info should not be returned, and the connection will close after several seconds.

This guide applies to:

This entry was posted in cPanel/WHM, Guides & How To's, Linux VPS, Security, Tech Support, VPS Hosting and tagged , , , , . Bookmark the permalink. Trackbacks are closed, but you can post a comment.

Questions? We're here to help.