How (and why) to disable apache server signature on your web pages
In the default configuration of Apache, any error pages will contain the full signature of the server (version number) which could be exploited by hackers. Each version has some deficiencies that could be exploited, and a hacker who knows your version number may benefit from it by focused attacks.
To disable server signature, you will need to edit your /etc/apache2/apache2.conf file.sudo nano /etc/apache2/apache2.conf
Press Ctrl+w to search for "ServerSignature" and press return. If you find it, edit it to:
If you don't find it, just scroll to the end of the file and add these two lines.ServerSignature Off
ServerTokens Prod
Then, we need to reload apache configuration to put this new change in effect:
sudo /etc/init.d/apache2 reload
Check the new configuration by entering an invalid address on your server URL (e.g. www.server.com/invalidpage.html). You should not see the server signature now, just the server name.
RSS
3 people spoke on this:
Doesn't work for 403 Forbidden
Thanks for this tip, I used this on my web server!
Works fine here for the 403 Forbidden
Post a Comment