When users visit your website, your web server may offer more information than they need for an optimal, accessible user experience (UX). Average users don’t need to know what web server software or operating system (OS) you’re using. Fortunately, average users won’t see this information usually unless they encounter a server-generated page (e.g. 400 or 500 errors).
Not using Apache? See our article on hiding your NGINX server version.
However, verbose user interfaces and banner grabbing applications display this information for users who are likely searching for version-specific vulnerabilities in your server environment, or maybe curious about what competitors are using to provide similar services. Such information can be used for benign purposes such as marketing competitor analysis.
Need a secure, minimal server? Try our Debian Cloud Server Hosting.
View Server HTTP Headers
There are multiple ways to view a server’s HTTP headers. The easiest option is to use an online tool such as SecurityHeaders.com or Observatory.Mozilla.org. Some prefer browser plugins such as Wappalyzer which offer stats and more.
Remember, we do not take any responsibility for what third party organizations may be doing with the information they receive from your usage. There are many cybersecurity tools to secure your server. Research and use these tools at your own risk. Feel free to notify us if you believe we’ve supported malware.
If you’re on a Linux system, you can use the
wget terminal commands:
curl --head yourdomain.com
wget --server-response --spider yourdomain.com
If logged into the Linux server you’ll be modifying, you can use these commands with
localhost in lieu of the domain:
curl --head localhost
wget --server-response --spider localhost
Within the header information, you’ll see a line that states what web server software and version you’re using alongside your server OS. For example:
Server: Apache/2.4.10 (Debian)
We’ll obfuscate everything after Apache to clean up our server headers.
Hide Apache Version and OS
The steps below will remove your Apache version and OS from HTTP headers and server-generated pages such as 500 errors.
- Log into SSH as root.
- Edit your Apache server configuration file using Nano (or your preferred text editor):
- Scroll down to the ServerTokens section where you’ll probably see multiple commented out lines (beginning with
ServerTokensand different options. Change the uncommented line, likely
ServerTokens OS, or comment out the line and create a new line to hide the Apache version and OS from HTTP headers:
If you don’t see the ServerTokens and ServerSignature sections, simply add the necessary lines to the bottom of your configuration file.
- The next section down should be the ServerSignature section. Turning this off hides the information from server-generated pages (e.g. Internal Server Error).
- Exit the file and save changes: Ctrl + X
- Restart Apache:
systemctl restart httpdDebian:
systemctl restart apache2
- Recheck your server HTTP headers:
curl --head localhost