Exposing web server signature with Apache/PHP version info can be a security risk as you are telling attackers known vulnerabilities of your system. Thus it is recommended you disable all web server signatures as part of server hardening process.
Disable Apache Web Server Signature
Follow the steps below to disable Apache Server Signature.
On Debian or Ubuntu:
$ sudo vi /etc/apache2/apache2.conf
On CentOS, Fedora or RHEL:
$ sudo vi /etc/httpd/conf/httpd.conf
Add the following two lines at the end of Apache config file.
ServerSignature OffServerTokens Prod
Then restart web server to activate the change:
$ sudo service apache2 restart (Debian or Ubuntu)
$ sudo service httpd restart (CentOS/RHEL 6)
$ sudo systemctl restart httpd.service (Fedora or CentOS/RHEL 7)
The first line ‘ServerSignature Off’ makes Apache to hide version info on any error pages. However, without the second line ‘ServerTokens Prod’, Apache will still include a detailed server token in HTTP response headers, which reveals Apache version number.
Hide PHP Version
Another security threat is PHP version info leak in HTTP response headers. By default, Apache server includes PHP version info via “X-Powered-By” field in HTTP response headers. If you want to hide PHP version in HTTP headers, open “php.ini” file with a text editor, look for “expose_php = On”, and change it to “expose_php = Off”.
On Debian or Ubuntu:
$ sudo vi /etc/php5/apache2/php.ini
On CentOS, Fedora or RHEL:
$ sudo vi /etc/php.ini
Add the following line
expose_php = Off
Finally, restart web server to reload updated PHP config file.
Now you will no longer see “X-Powered-By” field in HTTP response headers.
Thank you this post.
Thank you for This Useful Article I Need This Setting for My Website
Make sure to add both lines at the end of the file.
SecServerSignature is required and it need mod_security installed in apache.