Just for fun I looked at the headers generated by website I made and where I am responsible for the administration of the Apache server I discovered this:

HTTP/1.1 200 OK
Date: Sun, 06 Sep 2009 11:44:56 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6
X-Powered-By: PHP/5.2.4-2ubuntu5.7
Connection: close
Content-Type: text/html

Actually I think no one needs to know which PHP version is running on this machine and that there also a Subversion is running on that machine. Even the name of the operating system and the version of the Apache is not needed in most cases.

So how suppress these information?

Disable the “X-Powered-By”

  • Log in to your server as root user.
  • Open you php.ini file in a editor of you choice. My php.ini is located at /etc/php5/cgi/ (as I use mod_fcgid to server PHP content)
  • Search and edit: 
    ; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off

    If you like you read in the official PHP documentation.

  • Save and reload you Apache: 
    /etc/init.d/apache2 force-reload

Disable the “Server”-header

After searching for while I figured out that disabling the “Server”-header is not possible, without recompiling the Apache. (The Apache developers claim this as a feature.)  But you could decide between some level of information that will be provided.

  • If you are not logged in, log in as root user.
  • Open you Apache configuration, for me it was /etc/apache2/apache2.conf
  • Search for and edit the following lines:
    1. # ServerTokens
    2. # This directive configures what you return as the Server HTTP response
    3. # Header. The default is ‘Full’ which sends information about the OS-Type
    4. # and compiled in modules.
    5. # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
    6. # where Full conveys the most information, and Prod the least.
    7. #
    8. ServerTokens Full
  • Replace the Full with some of the options given in the comment. Here are some examples what these options are meaning:
    Full Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6
    OS Server: Apache/2.2.8 (Ubuntu)
    Minor Server: Apache/2.2.8
    Minimal Server: Apache/2.2
    Major Server: Apache/2
    Prod Server: Apache

    If you like you could also read the official documentation.

  • Save and reload you Apache: 
    /etc/init.d/apache2 force-reload

Result

I had chosen Major in the last step. Now the headers look like this:

HTTP/1.1 200 OK
Date: Sun, 06 Sep 2009 12:16:40 GMT
Server: Apache/2
Connection: close
Content-Type: text/html

Important note: This does not improve the security of the server, because you are only hiding information. Maybe you want to read: Security through obscurity.