How to Hide Your Apache Version and Linux OS From HTTP Headers

Hide Your Apache Version and Linux OS - Server HTTP Headers

When users visit your website, your web server will sometimes offer more information than they need for an optimal, accessible user experience (UX). The average user has no valid reason for needing to know what web server software or operating system (OS) you’re using. Fortunately, average users won’t see this information usually unless they encounter a server-generated page (e.g. 400 or 500 errors).

Not using Apache? See our article on hiding your NGINX web server version.

Why You Should Hide System Info

Verbose user interfaces and banner grabbing applications display this information for users who are likely searching for version-specific vulnerabilities in your server environment, or maybe curious about what competitors are using to provide similar services. Such information can be used for benign purposes such as marketing competitor analysis.

Regardless, hiding your OS and Apache version on CentOS/AlmaLinux or Debian/Ubuntu adds a degree of difficulty for potential cyber attackers.

How to View Server HTTP Headers

There are multiple ways to view a server’s HTTP headers. The easiest option is to use an online tool such as SecurityHeaders.com or Observatory.Mozilla.org. Some prefer browser plugins such as Wappalyzer which offer stats and more.

Remember, we do not take any responsibility for what third party organizations may be doing with the information they receive from your usage. There are many online cybersecurity tools that can help secure your server. Research and use these tools at your own risk. Feel free to notify us if you believe we’ve supported malicious third-party software.

If you’re on a Linux system, you can use the “curl”or “wget” terminal commands:

curl --head yourdomain.com
wget --server-response --spider yourdomain.com

If logged into the Linux system you’ll be modifying, you can use these commands with “localhost” in lieu of the domain:

curl --head localhost
wget --server-response --spider localhost

Within the header information you’ll see a line that states what web server software and version you’re using alongside your server OS. For example:

Server: Apache/2.4.10 (Debian)

We’ll obfuscate everything after Apache to clean up the server header.

Hide Apache Version and OS

The steps below will remove your Apache version and OS from HTTP headers and server-generated pages such as 500 errors.

  1. Log into SSH as root.
  2. Edit your Apache server configuration file using Nano (or your preferred text editor).
    CentOS/AlmaLinux:
    nano /etc/httpd/conf/httpd.conf
    Debian/Ubuntu:
    nano /etc/apache2/conf-enabled/security.conf
  3. Scroll down to the “ServerTokens” section where you’ll probably see multiple lines commented out (beginning with “#”) stating “ServerTokens” and different options. Change the uncommented line, likely “ServerTokens OS”, or comment out the line and create a new line to hide the Apache version and OS from HTTP headers:
    ServerTokens Prod

    If you don’t see the “ServerTokens” and “ServerSignature” sections, simply add the necessary lines to the bottom of your configuration file.

  4. The next section down should be the “ServerSignature” section. Turning this off hides the information from server-generated pages (e.g. Internal Server Error).
    ServerSignature Off
  5. Exit the file and save changes: Ctrl + X
  6. Restart Apache.
    CentOS/AlmaLinux:
    systemctl restart httpd
    Debian /Ubuntu:
    systemctl restart apache2
  7. Recheck your server HTTP headers:
    curl --head localhost

Are you looking for other ways to better secure your Linux server? Check out our guides on VPS Security and how to harden your cloud server.

If you don’t need cPanel, don't pay for it. Only pay for what you need with our Cloud VPS solutions.

check markCentOS, Debian, or Ubuntu check markNo cPanel Bloat check markSSH Key Management

Thoughts on “How to Hide Your Apache Version and Linux OS From HTTP Headers

  • Dear inmotion team,

    Thanks for this useful guide! It’s enough to reload apache’s configuration via systemctl reload httpd, no need to restart the server.

    Best regards,
    Leif

Was this article helpful? Let us know!