Hiding the Apache2 server header

Posted on: 2018-01-23

There's a valid argument to be made that security should be addressed properly, and you should not rely on security through obscurity. However, security should also be a layered approach, and hiding the software versions you run is a perfectly valid layer, since so many hacking tools out there profile open ports and public servers based on software versions to find zero-day exploits.

In this post, I will describe how to hide the Server header for Apache 2, replacing it with the word Unknown. This was surprisingly difficult to figure out, since most of the answers found online do not work. While it's straightforward to hide the Apache version number, hiding the entire string is something the Apache devs are actively fighting against, although I would argue it's probably not because of security.

The first thing to do should be looking at your current headers from the command line:

$ curl -I http://localhost/
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2018 20:11:16 GMT
Server: Apache/2.2.0
Content-Type: text/html;charset=UTF-8

Now that we know the current state of the headers, let's install a few modules:

a2enmod security2
a2enmod headers

Next, let's configure /etc/apache2/apache2.conf or /etc/httpd/httpd.conf depending on your version, and add the following lines:

ServerSignature Off
ServerTokens Min
SecRuleEngine on
SecServerSignature "Unknown"

Also make sure these commands aren't in any other file. Typically, you may find them in the mods-available/security.conf file. You can comment them out.

Finally, let's restart Apache and see if the headers changed:

$ systemctl restart apache2
$ curl -I http://localhost/
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2018 20:18:02 GMT
Server: Unknown
Content-Type: text/html;charset=UTF-8