Obscuring PHP and Apache versions for security best practice

Allowing the malicious users of the world more information than is absolutely necessary doesn’t make sense and is simply inviting them to run automated scanning tools to discover old and outdated versions of PHP and Apache before attempting to breach the system using known vulnerabilities with that version. Although it will not completely hide the fact you are using either system, you can easily remove the HTTP headers that are sent as part of every response by PHP and Apache, advertising their version number.

To reduce the security risk of your server, you should implement this, but remember that it will not hide the fact that you are using either software, it will simply not advertise the fact.

How to remove PHP header

The easiest way to disable the PHP version header is to change the PHP default setting within the php.ini file on your server. This is normally located within the /etc/ directory, but if it is not you can use the following to locate it your php.ini file:

# find / -iname php.ini

Once it is located, open the file in vi, then find the following line (you can use “/expose_php” within vi to find a string) and change the setting to “off”

# vi /etc/php.ini

Change to be:

expose_php = off

Once this is completed, restart Apache and examine the headers using your browsers developer toolbar.

# service httpd restart 
 Stopping httpd: [ OK ] 
 Starting httpd: [ OK ]

How to hide Apache header

Unfortunately you cannot simply remove the HTTP header that exposes Apache in a simple fashion (changing it would currently require editing the source), however it is possible to remove the Apache version number. Given that Apache is currently the most widely used server package, it is safe to say that your site will be scanned for Apache vulnerabilities anyway, but hiding the version number will make it slightly more troublesome.

To remove the version number, we need to edit the http.conf file to adjust both of the below statements (remember to use “/StringToSearchFor” in vi to find them):

# vi /etc/httpd/conf/httpd.conf

Both of the below settings need to be adjusted to match the values shown (they are in different areas of the configuration file, do not expect to see them sequentially, nor add them, they need to be adjusted):

ServerSignature Off 
ServerTokens Prod

As usual, confirm the configuration is valid after the change has been made and then restart the service.

# apachectl -t 
 Syntax OK 
 # service httpd restart 
 Stopping httpd: [ OK ] 
 Starting httpd: [ OK ]

You can now confirm the headers have been removed by checking them in your browsers developer toolbar.


Leave a Reply

Your email address will not be published. Required fields are marked *