Basic Apache security


A very basic thing you should do if you are running a webserver is hiding the operating system and software version. By default Apache shows the operating system, Apache version and the used modules. To change the full exposure you have to change the value of ServerTokens directive in /etc/httpd/conf/httpd.conf

Open /etc/httpd/conf/httpd.conf and find and change the line:

ServerTokens Full


ServerTokens Prod

ServerTokens Full will show:

Apache/2.2.3 (CentOS) mod_python/3.3.1 Python/2.5.1 PHP/5.2.4 with Suhosin-Patch mod_jk/1.2.25 mod_ssl/2.0.61 OpenSSL/0.9.7e-p1 mod_perl/2.0.3 Perl/v5.8.8

while ServerTokens Prod will show:


Other options are
ServerTokens OS returns: Apache/2.2.3 (CentOS)

ServerTokens Min returns: Apache/2.2.3

ServerTokens Minor returns: Apache/2.2

ServerTokens Major returns: Apache/2


An other way to prevent Apache to show that it is running php is done by telling php not to expose itself. This is done by changing the value of expose_php in /etc/php.ini to Off

Open /etc/php.ini and find and replace the line:

expose_php = on
expose_php = off

Prevent Apache from exposing the ServerTokens tag on every server-side generated document, i.e. error-documents, you should change the directive ServerSignature to off (default) or to email.


Please login first before adding a comment.


You are here: Home Howtos and FAQs Apache Basic Apache security