Apache: Disable response headers

Linux howto's, compile information, information on whatever we learned on working with linux, MACOs and - of course - Products of the big evil....
Post Reply
gilthanaz
Site Admin
Posts: 444
Joined: Fri Aug 29, 2003 9:29 pm
Contact:

Apache: Disable response headers

Post by gilthanaz »

[Problem]
When displaying an empty page or an error, the server exposes the apache/php/ssl versions, like:

Code: Select all

Server: Apache/2.4.10 (Ubuntu) PHP/5.5.30-1+deb.sury.org~precise+1 OpenSSL/1.0.1
X-Powered-By: PHP/5.5.30-1+deb.sury.org~precise+1 

[Solution]

Change in vhost (for each site + default):

Code: Select all

ServerSignature Off
ServerTokens ProductOnly 
Change in php.ini:

Code: Select all

expose_php = off
gilthanaz
Site Admin
Posts: 444
Joined: Fri Aug 29, 2003 9:29 pm
Contact:

Re: Apache: Disable response headers

Post by gilthanaz »

[Correction]
These settings are global and not by vhost. So one way to do it is to create config files with the above changes like this:

1. Create an apache conf file in /etc/apache2/conf.d/security.conf with:

Code: Select all

ServerSignature Off
ServerTokens ProductOnly 
2. Create a php ini file in /etc/php5/apach2/conf.d/99-no_expose.ini with:

Code: Select all

expose_php = off
Symlink to activate:

Code: Select all

/etc/php5/apach2/conf.d/99-no_expose.ini --> /etc/php5/apache2/mods_available/no_expose.ini
Reload/restart apache2 and check if everything works by browsing to a non existing site; the bottom line should only say "Apache Server at <test URL> Port 80" without further server details.
Post Reply