Remove software tags from apache response header


Assume that output of:

wget -S --spider http://example.com

like this:

HTTP/1.1 200 OK
 Date: Wed, 19 Nov 2014 08:47:22 GMT
 Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.4.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
 X-Powered-By: PHP/5.4.30

Target: remove the version information and the programs themselves:

How to:

in httpd.conf should be like this:

ServerTokens ProductOnly

ServerSignature Off

Restart apache, check:

HTTP/1.1 200 OK
  Date: Wed, 19 Nov 2014 09:01:21 GMT
  Server: Apache
  X-Powered-By: PHP/5.4.30

Remove X-Powered-By: PHP / 5.4.30

In php.ini should be:

expose_php = off

And if you want to remove “Server: Apache”, then the fastest option is as follows:

For CentOS:

install Epel repo, after that:

# yum -y install mod_security

edit /etc/httpd/conf.d/mod_security.conf , adding, for example, as follows (into context of <IfModule mod_security2.c>):

ServerTokens Full
SecServerSignature "MyServer"

Restart apache

Final result:

HTTP/1.1 200 OK
Date: Wed, 19 Nov 2014 10:04:52 GMT
Server: MyServer

Note:
seen that version apache 2.4.6-18 and mod_security 2.7.3-5 on CentOS 7 need directive apache ServerTokens set at Full

 

Documentation mod_security

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.