How to Turn Off Server Signature

Server Signature Image

By default, Apache will shows web server signature including Apache version and operating system information on the error pages such as 404 not found, 403 access forbidden pages. It also includes the PHP version information when the PHP serves the request. You can see the image below for more understanding.

Leaving your server signature on can be a security risk especially if you are using the older version. Each version has some deficiencies that could be exploited by the hackers.

Therefore, you should turn off the server signature to keep your web server safe from attackers. There are two ways to turn off the server signature:

  1. Using .htaccess
  2. Editing Apache config file
Default 404 Error Page Image

1. Using .htaccess

It is one of easiest way. Just add the following code to .htaccess file in your root folder:

# Disable server signature
ServerSignature Off

2. Editing Apache Config file

You can also turn off the server signature by editing Apache config file. There will be a bit different between the operating systems. Let’s see:

2.1 For Ubuntu Debian or Linux Mint

Open apache2.conf file:

sudo nano /etc/apache2/apache2.conf

Add the following code at the end of apache2.conf file:

ServerSignature Off
ServerTokens Prod

Then restart your web server to activate the change:

sudo service apache2 restart

2.2 For Fedora, CentOS, RHEL or Arch Linux

Open httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following code at the end of httpd.conf file:

ServerSignature Off
ServerTokens Prod

Then restart your web server to activate the change:

sudo systemctl restart httpd.service

Hide PHP Version

PHP version information in HTTP headers is also a potential security threat for your system. By default, Apache web server includes PHP version information via "X-Powered-By" field in HTTP headers. Here is how to hide that information:

For Ubuntu, Debian, or Linux Mint

Open php.ini file:

sudo nano /etc/php5/apache2/php.ini

Look for expose_php and change it to Off:

expose_php = Off

Then, restart your web server to activate the change.

sudo service apache2 restart

For Fedora, CentOS, RHEL or Arch Linux:

sudo nano /etc/php.ini

Look for expose_php and change it to Off:

expose_php = Off

Then, restart your web server to activate the change.

sudo systemctl restart httpd.service