Hide Apache Server Signature Completely

Hide Apache Server Signature Completely

By default, if you install the Apache web service, it comes with many modules and services that provide critial server informations to the outside world. Also, critical server information that an attacker exploits, e.g. looking for an exploit of an older Apache version on the Internet. Reconnaissance attacks are very popular for such an event. Learn more about Reconnaissance attacks.

The following code snippet completely removes the ServerSignature. Put this in the /etc/apache2/apache2.conf file. Also, make sure that this module is installed before using the code.

After that there is not even any more in the header, which web server is concerned, e.g. Nginx, Apache, Tomcat etc.


To remove the Server Signature type this

ServerSignature Off
ServerTokens Prod


To remove the webserver completely in the Server Header type this

<IfModule security2_module>
SecRuleEngine on
ServerTokens Prod
SecServerSignature " "
</IfModule>


without our code:


Bad response


with our code:


Good response



Finally, restart Apache with service apache2 restart.

If you want to check this, visit this.

Categories: Security