When users visit your website, your web server will sometimes offer more information than they need for an optimal, accessible user experience (UX). The average user has no valid reason for needing to know what web server software or operating system (OS) you’re using. Fortunately, average users won’t see this information usually unless they encounter a server-generated page (e.g. 400 or 500 errors).
Not using Apache? See our article on hiding your NGINX web server version.
Why You Should Hide System Info
Verbose user interfaces and banner grabbing applications display this information for users who are likely searching for version-specific vulnerabilities in your server environment, or maybe curious about what competitors are using to provide similar services. Such information can be used for benign purposes such as marketing competitor analysis.
Regardless, hiding your OS and Apache version on CentOS/AlmaLinux or Debian/Ubuntu adds a degree of difficulty for potential cyber attackers.
How to View Server HTTP Headers
There are multiple ways to view a server’s HTTP headers. The easiest option is to use an online tool such as SecurityHeaders.com or Observatory.Mozilla.org. Some prefer browser plugins such as Wappalyzer which offer stats and more.
Remember, we do not take any responsibility for what third party organizations may be doing with the information they receive from your usage. There are many online cybersecurity tools that can help secure your server. Research and use these tools at your own risk. Feel free to notify us if you believe we’ve supported malicious third-party software.
If you’re on a Linux system, you can use the “curl”or “wget” terminal commands:
curl --head yourdomain.com
wget --server-response --spider yourdomain.com
If logged into the Linux system you’ll be modifying, you can use these commands with “localhost” in lieu of the domain:
curl --head localhost
wget --server-response --spider localhost
Within the header information you’ll see a line that states what web server software and version you’re using alongside your server OS. For example:
Server: Apache/2.4.10 (Debian)
We’ll obfuscate everything after Apache to clean up the server header.
Hide Apache Version and OS
The steps below will remove your Apache version and OS from HTTP headers and server-generated pages such as 500 errors.
- Log into SSH as root.
- Edit your Apache server configuration file using Nano (or your preferred text editor).
- Scroll down to the “ServerTokens” section where you’ll probably see multiple lines commented out (beginning with “#”) stating “ServerTokens” and different options. Change the uncommented line, likely “ServerTokens OS”, or comment out the line and create a new line to hide the Apache version and OS from HTTP headers:
If you don’t see the “ServerTokens” and “ServerSignature” sections, simply add the necessary lines to the bottom of your configuration file.
- The next section down should be the “ServerSignature” section. Turning this off hides the information from server-generated pages (e.g. Internal Server Error).
- Exit the file and save changes: Ctrl + X
- Restart Apache.
systemctl restart httpdDebian /Ubuntu:
systemctl restart apache2
- Recheck your server HTTP headers:
curl --head localhost
If you don’t need cPanel, don't pay for it. Only pay for what you need with our scalable Cloud VPS Hosting.
CentOS, Debian, or Ubuntu No Bloatware SSH and Root Access