How to improve Apache 2.x web server security: disabling headers

To increase the security of your Apache web server you should disable the Apache headers, as they contain a lot of sensitive information about the OS, the version of Apache, modules and other installed software.

This informations are exposing the system to potential security holes, because knowing the version of software is also possible to know which bugs are affected.

To disable the headers from Apache 2.x, we must enable and set the two directives:

• ServerTokens
• ServerSignature

On Apache 2.x built from sources with ./configure --prefix=/usr/local/apache2:

Edit the file /usr/local/apache2/conf/extra/http-default.conf and set:

ServerTokens Prod

and then

ServerSignature Off

Edit the file /usr/local/apache2/conf/httpd.conf and uncomment the directive:

# Various default settings
Include conf/extra/httpd-default.conf

Restart Apache

/usr/local/apache2/bin/apachectl restart

On a Debian 6 squeeze, with Apache 2.x installed from packages:

Edit the file /etc/apache2/conf.d/security and edit existing directives like the following:

ServerTokens Prod
ServerSignature Off

Restart Apache

/etc/init.d/apache2 restart

Header are now disabled and security is improved, if you want to check actual headers you can install a Google Chrome plugin or a Firefox add-ons.