When you access a website, some web server software transmits additional information, such as the server version, operating system, or plugins used. Hackers can exploit this information to target vulnerabilities in the software. This article will show you how to hide this information on Apache web servers.

Note

As a rule, you only have access to the configuration for self-managed web servers. IONOS web servers in shared hosting environments are already configured for the highest possible security.

Hide Apache server version

Here are settings that can be applied to Apache web server to prevent leaking sensitive information.

Open the configuration file of your Apache web server and add or update the following:

ServerTokens Prod
ServerSignature Off

Some Apache web servers are configured to deliver a detailed status report of a website. In this case, complete the following:

  • Check whether your web server offers a status report.
    To do this, enter your domain followed by /server-status in your browser (e.g. http://example.co.uk/server-status).
    If a page with technical information about your web server now appears, your web server is vulnerable.
  • Search for the following block in your web server configuration: 

    <Location "/server-status">
    SetHandler server-status
    </Location>

  • Adjust the configuration so that the page is not publicly accessible: 

    <Location "/server-status">
    SetHandler server-status
    Order deny,allow
    Deny from all
    </Location>

  • Restart the Apache web server to load the updated configuration.

Further information can be found in the official Apache documentation.