Question : How to disable server signature using .htaccess or by editing apache config file?
Answer:
Attackers can use server signature to their advantage when performing an attack, this is the reason why it is always advised to disable the server signature.
There are 2 methods to do it
.
1- Using .htaccess:
Open your public_html folder (Browse public_html using ftp to display all hiden files)
Now to disable the server’s signature used to identify the server, use the following code in your .htaccess file:
# Disable server signature ServerSignature Off
This will hide the Apache version normally seen at the bottom of your 404 error pages, directory listing..etc.
2- Disable signature by editing httpd.conf
There are two directives that you need to add, or edit in your httpd.conf / apache2.conf file:
For Ubuntu and LinuxMint edit apache conf using the following command (for Centos/Fedora edit httpd.conf):
cd /etc/apache2/ vi apache2.conf
and add these 2 lines at the bottom of the file:
ServerSignature Off ServerTokens Prod
The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
Server: Apache
When is done, restart apache:
/etc/init.d/httpd restart CentOS/Fedora/RHEL sudo /etc/init.d/apache2 restart Ubuntu/Debian/LinuxMint
Here are the results in my linuxmint:
Before:
After:
