Server signature refers to the information sent by the Apache web server in the HTTP response headers. This information typically includes the Apache version and other details about the server. While this may seem harmless, it can provide potential attackers with valuable insights into your server configuration.

Disabling the server signature is a common security practice. By hiding the Apache version and other details, you make it more difficult for attackers to exploit known vulnerabilities specific to your server's configuration.

In Apache, the server signature is controlled by the ServerSignature and ServerTokens directives. By modifying these directives in the Apache configuration file, you can control what information, if any, is revealed in the HTTP headers.

Steps to disable server signature for Apache:

  1. Launch terminal.
  2. Find the ServerSignature directive in the Apache configuration file. 

    $ sudo grep -nr ServerSignature /etc/{httpd,apache2}
grep: /etc/httpd: No such file or directory
/etc/apache2/conf-available/security.conf:22:#ServerSignature Off
/etc/apache2/conf-available/security.conf:23:ServerSignature On
/etc/apache2/conf-available/localized-error-pages.conf:31:# ServerAdmin email address regardless of the setting of ServerSignature.
  3. Open the Apache configurtion file with the ServerSignature directive using your preferred text editor. 

    $ sudo vi /etc/apache2/conf-available/security.conf
  4. Set the ServerSignature directive to Off. 

    ServerSignature Off

    Add a new line or uncomment the ServerSignature and set the value to Off.

  5. Find the ServerTokens directive in the Apache configuration file. 

    $ sudo grep -nr ServerTokens /etc/{httpd,apache2}
grep: /etc/httpd: No such file or directory
/etc/apache2/conf-available/security.conf:5:# ServerTokens
/etc/apache2/conf-available/security.conf:11:#ServerTokens Minimal
/etc/apache2/conf-available/security.conf:12:ServerTokens OS
/etc/apache2/conf-available/security.conf:13:#ServerTokens Full
  6. Open the Apache configurtion file with the ServerTokens directive using your preferred text editor. 

    $ sudo vi /etc/apache2/conf-available/security.conf
  7. Set the ServerTokens directive to Prod.

    This directive configures what you return as the Server HTTP response Header. The default is 'Full' which sends information about the OS-Type and compiled in modules. Set to one of: Full | OS | Minimal | Minor | Major | Prod where Full conveys the most information, and Prod the least.

    Add a new line or uncomment the ServerTokens and set the value to Prod.

  8. Save and exit the text editor.
  9. Restart the Apache service for the changes to take effect. 

    $ sudo systemctl restart apache2
  10. Verify that the server signature has been disabled by inspecting the HTTP headers in the response from your server. 

    $ curl -I 127.0.0.1
HTTP/1.1 200 OK
Date: Sun, 03 Sep 2023 04:04:41 GMT
Server: Apache
Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT
ETag: "29af-603be4163c6a4"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

    The Server header should only display Apache now.