How to Hide Your Apache Version and Linux OS From HTTP Headers

When users visit your website, your web server may offer more information than they need for an optimal, accessible user experience (UX). Average users don’t need to know what web server software or operating system (OS) you’re using. Fortunately, average users won’t see this information usually unless they encounter a server-generated page (e.g. 400 or 500 errors).

Not using Apache? See our article on hiding your NGINX server version.

However, verbose user interfaces and banner grabbing applications display this information for users who are likely searching for version-specific vulnerabilities in your server environment, or maybe curious about what competitors are using to provide similar services. Such information can be used for benign purposes such as marketing competitor analysis.

Regardless, hiding your operating system (OS) and Apache version on CentOS or Debian/Ubuntu adds some difficulty for potential cyber attackers. Below we cover:

Need a secure, minimal server? Try our Debian Cloud Server Hosting.

View Server HTTP Headers

There are multiple ways to view a server’s HTTP headers. The easiest option is to use an online tool such as SecurityHeaders.com or Observatory.Mozilla.org. Some prefer browser plugins such as Wappalyzer which offer stats and more.

Remember, we do not take any responsibility for what third party organizations may be doing with the information they receive from your usage. There are many cybersecurity tools to secure your server. Research and use these tools at your own risk. Feel free to notify us if you believe we’ve supported malware.

If you’re on a Linux system, you can use the curl or wget terminal commands:

curl --head yourdomain.com
wget --server-response --spider yourdomain.com

If logged into the Linux server you’ll be modifying, you can use these commands with localhost in lieu of the domain:

curl --head localhost
wget --server-response --spider localhost

Within the header information, you’ll see a line that states what web server software and version you’re using alongside your server OS. For example:

Server: Apache/2.4.10 (Debian)

We’ll obfuscate everything after Apache to clean up our server headers.

Hide Apache Version and OS

The steps below will remove your Apache version and OS from HTTP headers and server-generated pages such as 500 errors.

  1. Log into SSH as root.
  2. Edit your Apache server configuration file using Nano (or your preferred text editor): CentOS:
    nano /etc/httpd/conf/httpd.conf
    Debian:
    nano /etc/apache2/conf-enabled/security.conf
  3. Scroll down to the ServerTokens section where you’ll probably see multiple commented out lines (beginning with #) stating ServerTokens and different options. Change the uncommented line, likely ServerTokens OS, or comment out the line and create a new line to hide the Apache version and OS from HTTP headers:
     ServerTokens Prod

    If you don’t see the ServerTokens and ServerSignature sections, simply add the necessary lines to the bottom of your configuration file.

  4. The next section down should be the ServerSignature section. Turning this off hides the information from server-generated pages (e.g. Internal Server Error).
    ServerSignature Off
  5. Exit the file and save changes: Ctrl + X
  6. Restart Apache:
    CentOS:
    systemctl restart httpd
    Debian:
     systemctl restart apache2
  7. Recheck your server HTTP headers:
    curl --head localhost

Are you looking for other ways to more secure Linux server? Check out our guides on how to harden your cloud server or cPanel-managed VPS/dedicated server.

Was this article helpful? Let us know!