Remove "Server: Apache" from response headers

Question

I want to know how to remove the Server header completely that apache sends in the response.

Initially, it was showing full server info like Server: Apache (Ubuntu 14.04) in the response headers. But I read somewhere to add this in apache2.conf

ServerTokens ProductOnly

ServerSignature Off

It didn't remove the header but only changed it to Server: Apache

I even tried from PHP to remove that header with header_remove('Server');. But still no luck.

So, I want to remove that completely.

Thanks,

PS: if it's possible to change the value to a fake value for eg: Server: Microsoft-IIS/8.0 then it is fine too.

Answer 1

To build on the answer by @Maxym on using the mod_security module - NOTE that you CANNOT remove the server header ENTIRELY ( that is only possible through source code editing/recompilation ) with this module, however you can rename the public server signature - say "NinjaServer" via this mod_security module !

To do that;

We have to ( in httpd.conf or equivalent ) keep/set;

ServerTokens Full

Then via mod_security2.conf;

SecServerSignature "NinjaServer"

Also, its better for the mod_security module to be loaded last to avoid notices in the apache error log.

For a OpenSuse 15.x / Apache 2.4.x Setup, the actual steps are;

 zypper -v in apache2-mod_security2 // install mod_security
 a2enmod security2                  // enable the module
 a2enmod unique_id                  // this was needed too...
 a2enmod -l                         // verify loaded

Next, edit httpd.conf.local (under /etc/apache2) and set;

 ServerTokens Full

Next, edit mod_security2.conf (under /etc/apache2) and set;

 SecRuleEngine DetectionOnly         // only remove apache server name
 SecServerSignature "NinjaServer"    // some name other than Apache

Also comment out ( this example is just for modifying Public Server Signature );

# Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf

 

Then restart apache via

systemctl restart apache2

And if you were to check your headers ( Browser's Dev Tools ) now, you will see the Server name appearing as NinjaServer :-)

Answer 2

Tested on Raspberry Pi OS: Raspbian Buster (Release date: March 4th 2021 Kernel version: 5.10)

Apache Version: 2.4.38

Installation of mod-security

sudo apt-get install libapache2-mod-security2 -y

modify the security.conf

sudo nano /etc/apache2/conf-available/security.conf

as follows

ServerTokens Prod

copy template

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

modify modsecurity.conf

sudo nano /etc/modsecurity/modsecurity.conf

as follows

SecRuleEngine DetectionOnly
SecServerSignature "Noop"

Restart server

sudo service apache2 restart

Source

• https://www.inmotionhosting.com/support/server/apache/install-modsecurity-apache-module/

Answer 3

This is the best way I found:

sudo apt-get install libapache2-mod-security2

Then add this to /etc/apache2/apache.conf (you can use any name, here I've used space):

<IfModule security2_module>
    SecRuleEngine on
    ServerTokens Min
    SecServerSignature " "
</IfModule> 

and restart Apache:

sudo service apache2 restart

Now when you run something like:

curl -v http://localhost:80/ | head

you should get:

< HTTP/1.1 200 OK
< Date: Mon, 25 Jan 2021 09:31:11 GMT
* Server  is not blacklisted
< Server:

For full details see here.

Answer 4

The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). Aside from modifying the Apache HTTPD source code, or using mod_security module, there is no other way to fully suppress the server ID header.

With the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive without any additional "baggage." (c) Chipster