Replace Apache Servername in HTTP Headers

Change the Apache Servername

HTTP header modifications can harden your Linux server and obfuscate sensitive data to make cyber reconnaissance harder for cyber attackers. It is for this reason that many Linux system administrators decide to change Apache servername HTTP header information. HTTP responses from your Apache server will include the following by default:

HTTP/1.1 200 OK
Date: Mon, 10 Sep 2021 16:01:11 GMT
Server: Apache/2.4.10 (Debian)

There are multiple ways to view a server’s HTTP headers. The easiest methods: SecurityHeaders.com, Observatory.Mozilla.org, or the command-line interface (CLI).

curl --head yourdomain.com
"curl --head" command results
wget --server-response --spider yourdomain.com
"wget --server-response --spider" command results

Read on to learn how to set a custom Apache servername.

Ensure you have root access to your Linux server and ModSecurity (mod_security) Apache module installed.

Change Apache Servername in HTTP Headers

cPanel VPS or dedicated server administrators should follow these steps:

  1. Log into WebHost Manager (WHM) as root.
  2. On the left, select “Apache Configuration.”
  3. Select “Global Configuration.”
  4. Set “Server Signature” to “Off.”
  5. Set “Server Tokens” to “Minimal.”
    WHM server signature and server tokens
  6. Select “Save” at the bottom.
  7. Select “Rebuild Configuration and Restart Apache.”
  8. Select “Terminal” on the left.
  9. Edit your ModSecurity user configuration file:
    nano /etc/apache2/conf.d/modsec/modsec2.user.conf
  10. It’s okay if the file is blank. Add the following lines, changing the custom server signature to your preference:
    ServerTokens OS

    SecServerSignature "CustomSecretiveName"
  11. Rebuild HTTPD:
    /scripts/rebuildhttpdconf
  12. Restart Apache:
    /scripts/restartsrv_httpd
  13. Check your Apache servername.
    curl --head localhost

    Updated Server results

The steps below are for non-cPanel servers.

  1. Log into SSH as root.
  2. Edit your Apache configuration file.
    CentOS:
    nano /etc/httpd/conf/httpd.conf
    Debian / Ubuntu:
    nano /etc/apache2/conf-enabled/security.conf
  3. Add or change the following lines as follows. For example, if ServerTokens OS is present, change “OS” to “Full.”
    SecRuleEngine on

    ServerTokens Full

    SecServerSignature "CustomSecretiveName"
  4. You can remove, or disable (#), the “ServerSignature” line if enabled.
  5. Save your changes.
  6. Restart Apache.
    CentOS:
    systemctl restart httpd
    Debian / Ubuntu:
    systemctl restart apache2
  7. Check your Apache servername.
    Updated Server results

Are you in the middle of a cybersecurity audit? Just looking for ways to better protect your digital assets? Learn more about server hardening with our Linux VPS security eBook.

If you don’t need cPanel, don't pay for it. Only pay for what you need with our Cloud VPS solutions

check markCentOS, Debian, or Ubuntu    check markNo bloatware    check markSSH Key management made easy

J
Jacqueem Content Writer I

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem

Was this article helpful? Let us know!