Get 69% Off on Cloud Hosting : Claim Your Offer Now!
When managing a website or application on a server, particularly on shared hosting or colocation, security should be a top priority. One often overlooked security aspect is hiding sensitive information in your HTTP headers—such as the Apache version and Linux OS details. These headers can give attackers valuable insights into your server setup, making it easier for them to exploit known vulnerabilities.
In this guide, we will walk you through how to hide your Apache version and Linux OS from HTTP headers, keeping your server environment more secure.
Every time a request is made to your web server, it returns an HTTP response header. By default, Apache includes information such as:
Apache version (e.g., Apache/2.4.41)
OS name (e.g., Ubuntu)
Attackers can easily use this information to identify your server’s software version, and if your server is running an outdated or vulnerable version, it becomes a potential target. Hiding this information reduces the likelihood of automated attacks targeting known vulnerabilities.
Whether you're hosting your site on a colocation server or a shared hosting environment, securing these details is crucial to hardening your web server.
Before we dive into making changes, let’s first see what information your Apache server is currently exposing. You can check your HTTP headers using tools like curl or online services like Security Headers.io.
To check using curl:
curl -I http://yourwebsite.com
This will return the HTTP headers, and you should see something like this:
http
Server: Apache/2.4.41 (Ubuntu)
In this case, the server is exposing both the Apache version and the operating system. Let’s fix that.
To hide the Apache version and OS, you'll need to edit your Apache configuration file. The configuration file is usually located at /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf, depending on your server setup.
Here’s how to proceed:
Open the configuration file in your favorite text editor:
bash
sudo nano /etc/apache2/apache2.conf
(Replace the path if your Apache config file is located elsewhere.)
Locate or add the following lines to the configuration file:
apache
ServerTokens Prod
ServerSignature Off
ServerTokens Prod: This directive tells Apache to return minimal information about the server. With this setting, the Server header will only show “Apache,” hiding the version and OS details.
ServerSignature Off: This hides the server version on server-generated error pages.
Save and close the file.
For the changes to take effect, you need to restart the Apache service. Run the following command:
sudo systemctl restart apache2
or
sudo service apache2 restart
This will apply your configuration changes and remove the version and OS details from the HTTP headers.
Once Apache has restarted, check the headers again using curl or an online tool:
curl -I http://yourwebsite.com
You should now see something like:
http
Server: Apache
As you can see, the version and OS details have been removed, making your server setup less visible to potential attackers.
In addition to hiding your Apache version and Linux OS, there are other steps you can take to further secure your server:
Regularly updating your server’s software is one of the best ways to protect against attacks. Whether you're using shared hosting or colocation, ensure your server's software (Apache, OS, etc.) is always up-to-date to protect against known vulnerabilities.
The fewer services and modules your server runs, the smaller your attack surface. Review the list of enabled Apache modules and disable any that you don’t need.
To list all enabled modules, use:
apache2ctl -M
Disable unnecessary modules by editing your configuration file or using commands like:
sudo a2dismod module_name
Consider using a Web Application Firewall (WAF) to protect your server from common vulnerabilities like SQL injection, cross-site scripting (XSS), and more. A WAF can add an extra layer of security, especially if your server hosts sensitive data.
Ensure that your server is using HTTPS with a valid SSL certificate. Encrypting the connection between your server and users is essential for data security, particularly for servers handling sensitive information.
Make sure that your Apache server has the appropriate file and directory permissions to prevent unauthorized access. For example, set file permissions to 644 and directory permissions to 755 wherever possible.
By hiding your Apache version and Linux OS from HTTP headers, you reduce the amount of information available to attackers, making it harder for them to target your server. Whether your website is on a colocation server, dedicated server, or shared hosting, following these steps will help you enhance your server’s security.
In addition to these changes, it’s always a good idea to stay up-to-date with security best practices and regularly audit your server for potential vulnerabilities. Taking proactive measures to protect your server ensures your website runs smoothly and securely for all users.
Let’s talk about the future, and make it happen!
By continuing to use and navigate this website, you are agreeing to the use of cookies.
Find out more