====== Apache - Harden Apache - Hide web server version from appearing in http header ======

Add these lines into /etc/apache2/apache2.conf:

<file bash /etc/apache2/apache2.conf>
ServerTokens Prod
ServerSignature Off
</file>

where ServerTokens controls what kind of information is sent to the header.  Options available for ServerTokens include:

<code>
ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache

ServerTokens Major
Server sends (e.g.): Server: Apache/2

ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0

ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41

ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)

ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
</code>

while **ServerSignature** is to allow configuration of a trailing footer line under server generated documents, such as error messages and mod_proxy ftp directory listings.  Putting it to off will suppress the footer line.


Once added, restart or reload apache to activate the changes.

<code bash>
/etc/init.d/apache2 restart
</code>


To check for the header, you can use curl:

<code bash>
curl -I www.foo.net
</code>

where -I is for curl to grab just the http header.

returns:

<code>
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Apache/2.2.15 (Red Hat)
</code>