Disable WebServer Banner Apache/IHS


Don’t display or send Apache version (Set ServerTokens)

By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number.

Apache can reveal information by default configuration, unless it is configured in secure way. ServerSignature controls Apache version information and ServerTokens directive controls whether server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules

To avoid this, set the ServerTokens and ServerSignature directives  in httpd.conf. This will display “Server: Apache” without any version information.




In Httpd.conf,

# vi httpd.conf search for ServerTokens

Default :

  ServerTokens Full

ServerSignature On

change it to below

ServerTokens Prod

ServerSignature Off

Now the webserver is secure from information disclosure, restart the webserver to effect  configuration changes.